CVE-2023-36969
📋 TL;DR
CMS Made Simple v2.2.17 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious files and execute arbitrary commands on the server. This affects any system running the vulnerable version with file upload functionality enabled. Attackers must have valid administrator credentials to exploit this vulnerability.
💻 Affected Systems
- CMS Made Simple
📦 What is this software?
Cms Made Simple by Cmsmadesimple
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, steal data, and pivot to other systems on the network.
Likely Case
Attackers with admin credentials upload webshells or malicious scripts to gain persistent access, deface websites, or steal sensitive data.
If Mitigated
With proper access controls and file upload restrictions, impact is limited to unauthorized file uploads without code execution.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated. Public exploit details and proof-of-concept are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.2.18 or later
Vendor Advisory: https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=84685
Restart Required: No
Instructions:
1. Backup your CMS Made Simple installation and database. 2. Download the latest version from the official website. 3. Replace all files with the new version, preserving your configuration files. 4. Run the upgrade script if prompted. 5. Verify the installation works correctly.
🔧 Temporary Workarounds
Disable File Upload Module
allTemporarily disable the file upload functionality in CMS Made Simple to prevent exploitation.
Navigate to Extensions > Modules, find File Manager module, click Disable
Restrict File Upload Types
allConfigure the file manager to only allow specific safe file extensions.
In File Manager settings, restrict allowed extensions to: jpg,jpeg,png,gif,pdf,doc,docx,txt
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for all admin accounts
- Deploy a web application firewall (WAF) with rules to block malicious file uploads and command execution attempts
🔍 How to Verify
Check if Vulnerable:
Check the CMS version in the admin panel under Site Admin > About CMS Made Simple. If version is exactly 2.2.17, the system is vulnerable.Check Version:
Check the CMS version in the admin interface or examine the file /version.php in the installation directory.Verify Fix Applied:
After updating, verify the version shows 2.2.18 or higher in the admin panel. Test file upload functionality with restricted file types.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with executable extensions (.php, .jsp, .asp)
- Multiple failed login attempts followed by successful admin login
- File uploads to unusual directories
- Commands executed via uploaded files in web server logs
Network Indicators:
- HTTP POST requests to file upload endpoints with executable content
- Outbound connections from the CMS server to suspicious IPs after file uploads
SIEM Query:
source="web_server_logs" AND (uri_path="/admin/filemanager/browser.php" OR uri_path="/admin/filemanager/upload.php") AND (status=200 OR status=302) AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")