Login Sign Up

CVE-2024-0603

7.3 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This is a critical remote code execution vulnerability in ZhiCms CMS software. Attackers can exploit insecure deserialization in the giftcontroller.php file to execute arbitrary code on affected systems. All ZhiCms installations up to version 4.0 are vulnerable if the gift plugin is enabled.

💻 Affected Systems

Products:
  • ZhiCms
Versions: up to 4.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the gift plugin to be installed and accessible. The vulnerable file is in app/plug/controller/giftcontroller.php.

📦 What is this software?

Zhicms by Zhicms

View all CVEs affecting Zhicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, install malware, steal data, and pivot to other systems.

🟠

Likely Case

Remote code execution leading to web shell installation, data theft, and potential lateral movement within the network.

🟢

If Mitigated

Attack blocked at perimeter with proper WAF rules and input validation in place.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing systems immediate targets.
🏢 Internal Only: MEDIUM - Internal systems still vulnerable but require initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making this easily weaponizable. Attack requires sending crafted data to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Disable Gift Plugin

all

Remove or disable the vulnerable gift plugin to prevent exploitation.

rm -rf app/plug/controller/giftcontroller.php
Disable plugin via admin panel if available

Input Validation

all

Add proper input validation and sanitization for the mylike parameter.

Edit app/plug/controller/giftcontroller.php to validate/sanitize input before deserialization

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing serialized PHP objects
  • Restrict network access to affected systems and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if file app/plug/controller/giftcontroller.php exists and contains unserialize() calls without proper validation.

Check Version:

Check ZhiCms version in configuration files or admin panel

Verify Fix Applied:

Verify gift plugin is disabled or file is removed, and test with known exploit payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to giftcontroller.php
  • PHP unserialize errors in logs
  • Unexpected file creations in web directories

Network Indicators:

  • HTTP requests containing serialized PHP objects (O:... patterns)
  • Traffic to giftcontroller.php with unusual parameters

SIEM Query:

source="web_logs" AND uri="*giftcontroller.php*" AND (method="POST" OR params="*mylike=*")

📊 Metadata

CVE ID: CVE-2024-0603
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-502
Published: January 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0603, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)