CVE-2024-40522 – SeaCMS 12.9 contains a remote code execution vu... (How to Fix)

📋 TL;DR

SeaCMS 12.9 contains a remote code execution vulnerability in phomebak.php where unfiltered variable names are written into PHP files. Authenticated attackers can exploit this to execute arbitrary commands and gain system permissions. This affects all SeaCMS 12.9 installations with the vulnerable file present.

💻 Affected Systems

Products:

SeaCMS

Versions: 12.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit. All SeaCMS 12.9 installations are vulnerable unless patched.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands, install malware, exfiltrate data, and maintain persistent access.

🟠

Likely Case

Web server compromise leading to data theft, defacement, or use as attack platform.

🟢

If Mitigated

Limited impact with proper authentication controls and file system restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for official SeaCMS patch or update
2. If no patch, apply workarounds
3. Monitor SeaCMS security announcements

🔧 Temporary Workarounds

Remove vulnerable file

linux

Delete or rename phomebak.php to prevent exploitation

rm /path/to/seacms/phomebak.php
mv /path/to/seacms/phomebak.php /path/to/seacms/phomebak.php.bak

Restrict file permissions

linux

Set phomebak.php to read-only for web server user

chmod 444 /path/to/seacms/phomebak.php

🧯 If You Can't Patch

Implement strict authentication controls and monitor for suspicious login attempts
Restrict network access to SeaCMS administration interface using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if phomebak.php exists in SeaCMS installation directory and review version number in configuration files

Check Version:

grep -r 'version' /path/to/seacms/config/ || cat /path/to/seacms/readme.txt

Verify Fix Applied:

Verify phomebak.php has been removed, renamed, or made read-only, and check for updated SeaCMS version

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to phomebak.php
Multiple failed login attempts followed by successful login
File modification events in SeaCMS directory

Network Indicators:

HTTP requests containing PHP code in parameters to phomebak.php
Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND uri="*phomebak.php*" AND (method="POST" OR params="*php*" OR params="*system(*" OR params="*exec(*")

📊 Metadata

CVE ID: CVE-2024-40522

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 12, 2024

Last Updated: March 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40522, you might also want to check these: