CVE-2024-28386 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-28386?

CVE-2024-28386 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on systems running fastmagsync v1.7.51 and earlier. Attackers can exploit the getPhpBin() component to achieve remote code execution (RCE), potentially compromising the entire server. All users of fastmagsync v1.7.51 and below are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running fastmagsync v1.7.51 and earlier. Attackers can exploit the getPhpBin() component to achieve remote code execution (RCE), potentially compromising the entire server. All users of fastmagsync v1.7.51 and below are affected.

💻 Affected Systems

Products:

fastmagsync

Versions: v1.7.51 and earlier

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of fastmagsync within the vulnerable version range regardless of configuration.

📦 What is this software?

Fastmag Sync by Home Made

View all CVEs affecting Fastmag Sync →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining full control, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Web server compromise leading to data theft, defacement, cryptocurrency mining, or use as part of a botnet.

🟢

If Mitigated

Attack blocked at network perimeter or application firewall level, with minimal impact if proper segmentation exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists showing unauthenticated RCE via parameter manipulation in cron_mutualise_job_queue.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.home-made.io/module-fastmag-sync-prestashop/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If no patch available, remove or disable the fastmagsync module immediately. 3. Consider alternative synchronization solutions.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Block access to the vulnerable cron_mutualise_job_queue.php file

mv /path/to/modules/fastmagsync/crons/cron_mutualise_job_queue.php /path/to/modules/fastmagsync/crons/cron_mutualise_job_queue.php.disabled

Web server access restriction

all

Configure web server to deny access to the vulnerable script

<Location "/modules/fastmagsync/crons/cron_mutualise_job_queue.php">
    Order deny,allow
    Deny from all
</Location>

🧯 If You Can't Patch

Immediately remove the fastmagsync module from production systems
Implement strict network segmentation and web application firewall rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check fastmagsync version in module configuration or by examining module files. Versions 1.7.51 and below are vulnerable.

Check Version:

grep -r 'version' /path/to/fastmagsync/ directory or check module configuration in PrestaShop admin panel

Verify Fix Applied:

Verify the module has been completely removed or disabled, and test that cron_mutualise_job_queue.php is no longer accessible.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to cron_mutualise_job_queue.php with parameter manipulation
PHP execution errors in web server logs
Unexpected file creation in web directories

Network Indicators:

HTTP requests containing 'echo', 'php', or command injection patterns targeting the vulnerable endpoint
Unusual outbound connections from web server

SIEM Query:

web.url: "*cron_mutualise_job_queue.php*" AND (web.query: "*echo*" OR web.query: "*php*" OR web.query: "*;*" OR web.query: "*&*" OR web.query: "*|*")

📊 Metadata

CVE ID: CVE-2024-28386

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 25, 2024

Last Updated: September 18, 2025

🔗 References

http://fastmagsync.com Broken Link
http://home-madeio.com Broken Link
https://reference1.example.com/modules/fastmagsync/crons/cron_mutualise_job_queue.php?hosting=.%20%26%20%20echo%20%27%3C%3Fphp%20echo%20%2242ovh%22%3B%27%20%3E%20a.php%3B%23&syncway=tofastmag Broken Link
https://security.friendsofpresta.org/modules/2024/03/19/fastmagsync.html Third Party Advisory
https://www.home-made.io/module-fastmag-sync-prestashop/ Product
http://fastmagsync.com Broken Link
http://home-madeio.com Broken Link
https://reference1.example.com/modules/fastmagsync/crons/cron_mutualise_job_queue.php?hosting=.%20%26%20%20echo%20%27%3C%3Fphp%20echo%20%2242ovh%22%3B%27%20%3E%20a.php%3B%23&syncway=tofastmag Broken Link
https://security.friendsofpresta.org/modules/2024/03/19/fastmagsync.html Third Party Advisory
https://www.home-made.io/module-fastmag-sync-prestashop/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28386, you might also want to check these: