CVE-2024-27114 – CVE-2024-27114 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2024-27114?

CVE-2024-27114 has a CVSS score of 9.8 (CRITICAL). CVE-2024-27114 is an unauthenticated remote code execution vulnerability in SO Planning online planning tool. Attackers can upload PHP files that execute for milliseconds before deletion when public view is enabled, allowing arbitrary code execution on the underlying system. Organizations using SO Planning with public view enabled are affected.

📋 TL;DR

CVE-2024-27114 is an unauthenticated remote code execution vulnerability in SO Planning online planning tool. Attackers can upload PHP files that execute for milliseconds before deletion when public view is enabled, allowing arbitrary code execution on the underlying system. Organizations using SO Planning with public view enabled are affected.

💻 Affected Systems

Products:

SO Planning online planning tool

Versions: All versions before 1.52.02

Operating Systems: Any OS running SO Planning

Default Config Vulnerable: ✅ No

Notes: Requires public view setting to be enabled for exploitation.

📦 What is this software?

Soplanning by Soplanning

View all CVEs affecting Soplanning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Initial foothold leading to data exfiltration, ransomware deployment, or use as part of a larger attack chain.

🟢

If Mitigated

No impact if public view is disabled or system is patched.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires public view enabled and precise timing to execute during the brief window before file deletion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.52.02

Vendor Advisory: https://csirt.divd.nl/CVE-2024-27114

Restart Required: Yes

Instructions:

1. Download SO Planning version 1.52.02 or later from official source. 2. Backup current installation and data. 3. Stop SO Planning service. 4. Replace files with patched version. 5. Restart SO Planning service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable Public View

all

Disable the public view setting in SO Planning configuration to prevent exploitation.

Edit SO Planning configuration to set public view to disabled

Web Server File Upload Restrictions

all

Configure web server to block PHP file uploads to SO Planning directories.

Add deny rules for .php files in web server configuration

🧯 If You Can't Patch

Disable public view setting immediately
Implement network segmentation to isolate SO Planning from critical systems

🔍 How to Verify

Check if Vulnerable:

Check SO Planning version and verify if public view setting is enabled.

Check Version:

Check SO Planning admin interface or version file in installation directory

Verify Fix Applied:

Confirm version is 1.52.02 or later and test that PHP file uploads are properly blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to SO Planning directories
PHP file creation in upload directories
Failed deletion attempts of uploaded files

Network Indicators:

HTTP POST requests with PHP file uploads to SO Planning endpoints
Unusual outbound connections from SO Planning server

SIEM Query:

source="web_server" AND (uri="/so-planning/upload" OR uri CONTAINS ".php") AND method="POST"

📊 Metadata

CVE ID: CVE-2024-27114

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: September 11, 2024

Last Updated: September 19, 2024

🔗 References

https://csirt.divd.nl/CVE-2024-27114 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27114, you might also want to check these: