CVE-2023-29963 – S-CMS v5.0 contains an authenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2023-29963?

CVE-2023-29963 has a CVSS score of 7.2 (HIGH). S-CMS v5.0 contains an authenticated remote code execution vulnerability in the /admin/ajax.php component. Attackers with admin credentials can execute arbitrary code on the server. This affects all S-CMS v5.0 installations with default configurations.

📋 TL;DR

S-CMS v5.0 contains an authenticated remote code execution vulnerability in the /admin/ajax.php component. Attackers with admin credentials can execute arbitrary code on the server. This affects all S-CMS v5.0 installations with default configurations.

💻 Affected Systems

Products:

S-CMS

Versions: v5.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication but default admin credentials may be used

📦 What is this software?

S Cms by S Cms

View all CVEs affecting S Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing data theft, ransomware deployment, and complete system control

🟠

Likely Case

Webshell installation leading to data exfiltration and lateral movement within the network

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin credentials but is straightforward to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Restrict admin access

all

Limit admin panel access to specific IP addresses

# Add to .htaccess or web server config
Order deny,allow
Deny from all
Allow from 192.168.1.0/24

Disable vulnerable endpoint

all

Block access to /admin/ajax.php

# Apache
<Location /admin/ajax.php>
    Order deny,allow
    Deny from all
</Location>
# Nginx
location /admin/ajax.php {
    deny all;
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate S-CMS from critical systems
Enable detailed logging and monitoring for suspicious admin activity

🔍 How to Verify

Check if Vulnerable:

Check if S-CMS version is 5.0 and /admin/ajax.php is accessible

Check Version:

Check S-CMS configuration files or admin panel footer for version information

Verify Fix Applied:

Verify /admin/ajax.php returns 403 Forbidden or is inaccessible

📡 Detection & Monitoring

Log Indicators:

POST requests to /admin/ajax.php with suspicious parameters
Unusual admin login times or locations
File creation/modification in web directories

Network Indicators:

Outbound connections from web server to unknown IPs
Unusual traffic patterns from admin interface

SIEM Query:

source="web_logs" AND (uri="/admin/ajax.php" AND method="POST" AND (param="*system*" OR param="*exec*" OR param="*shell*"))

📊 Metadata

CVE ID: CVE-2023-29963

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 5, 2023

Last Updated: January 29, 2025

🔗 References

https://github.com/superjock1988/debug/blob/main/s-cms_rce.md Exploit,Third Party Advisory
https://github.com/superjock1988/debug/blob/main/s-cms_rce.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29963, you might also want to check these: