CVE-2024-39243 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on skycaiji 2.8 systems by sending specially crafted POST requests to the /index.php?s=/admin/develop/editor_save endpoint. This affects all installations of skycaiji 2.8 that have the admin development interface accessible.

💻 Affected Systems

Products:

skycaiji

Versions: 2.8

Operating Systems: All operating systems running skycaiji

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the admin development interface which may be enabled by default in some configurations.

📦 What is this software?

Skycaiji by Skycaiji

View all CVEs affecting Skycaiji →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent backdoors.

🟠

Likely Case

Attackers gain remote code execution to deploy ransomware, cryptocurrency miners, or data exfiltration tools.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web requests and exploitation requires no authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but external exposure is more dangerous.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is publicly documented with exploitation details, making weaponization highly probable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check for official updates from skycaiji developers
2. If no patch available, implement workarounds immediately
3. Consider migrating to alternative software if patching is not possible

🔧 Temporary Workarounds

Block Vulnerable Endpoint

all

Use web server configuration or WAF to block access to /index.php?s=/admin/develop/editor_save

# Apache: RewriteRule ^/index\.php\?s=/admin/develop/editor_save - [F,L]
# Nginx: location ~* /index\.php\?s=/admin/develop/editor_save { deny all; }

Disable Admin Development Interface

all

Remove or disable the admin development functionality if not required

# Remove or rename the relevant controller files in the skycaiji installation

🧯 If You Can't Patch

Isolate affected systems in a restricted network segment with no internet access
Implement strict network access controls and monitor all traffic to/from skycaiji systems

🔍 How to Verify

Check if Vulnerable:

Check if skycaiji version is 2.8 and the /index.php?s=/admin/develop/editor_save endpoint is accessible

Check Version:

Check skycaiji configuration files or admin interface for version information

Verify Fix Applied:

Verify the vulnerable endpoint is no longer accessible or returns appropriate error responses

📡 Detection & Monitoring

Log Indicators:

POST requests to /index.php?s=/admin/develop/editor_save with unusual payloads
System command execution in web server logs
Unauthorized file uploads or modifications

Network Indicators:

Unusual outbound connections from skycaiji server
Traffic patterns indicating command and control activity

SIEM Query:

web.url:*admin/develop/editor_save AND http.method:POST AND (web.post_data:*cmd* OR web.post_data:*system* OR web.post_data:*exec*)

📊 Metadata

CVE ID: CVE-2024-39243

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: June 26, 2024

Last Updated: June 13, 2025

🔗 References

https://fushuling.com/index.php/2024/06/11/test/ Broken Link
https://fushuling.com/index.php/2024/06/11/test/ Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39243, you might also want to check these: