⚠ Actively exploited

Added to CISA KEV on 2025-06-02. Federal agencies required to patch by 2025-06-23. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2024-56145 — Code Injection in Craft CMS

CWE-94 — Code Injection CWE-78 — OS Command Injection13 documents12 sources

Severity

9.3CRITICALNVD

EPSS

93.9%

top 0.12%

CISA KEV

KEV

Added 2025-06-02

Due 2025-06-23

Exploit

PoC available

Public exploit / PoC exists

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedDec 18

KEV addedJun 2

Latest updateJun 3

KEV dueJun 23

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.0.0-RC1 — 5.5.2+2

▶NVDcraftcms/craft_cms3.0.0 — 3.9.14+2

▶CVEListV5craftcms/cms>= 3.0.0, < 3.9.14, >= 4.0.0-RC1, < 4.13.2, >= 5.0.0-RC1, < 5.5.2+2

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled↗2024-12-18

▶

CVEList

RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms↗2024-12-18

▶

GHSA

Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled↗2024-12-18

▶

VulnCheck

Craft CMS Code Injection Vulnerability↗2024

▶

💥Exploits & PoCs

Nuclei

Craft CMS - Remote Code Execution via Template Path Manipulation

▶

Metasploit

Craft CMS Twig Template Injection RCE via FTP Templates Path↗

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)↗2024-12-20

▶

📋Vendor Advisories

CISA

Craft CMS Code Injection Vulnerability↗2025-06-02

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA warns of ConnectWise ScreenConnect bug exploited in attacks↗2025-06-03

▶

Trendmicro

Earth Lamia Develops Custom Arsenal to Target Multiple Industries↗2025-05-27

▶

Recorded Future

H1 2025 Malware and Vulnerability Trends↗

▶

Recorded Future

H1 2025 Malware and Vulnerability Trends↗

▶