CVE-2024-55461 – SeaCMS versions up to 13.0 contain a command in... (How to Fix)

Q: How do I fix CVE-2024-55461?

1. Check for official SeaCMS updates beyond version 13.0. 2. If patch exists, backup your site. 3. Apply the update following SeaCMS documentation. 4. Verify the fix by testing the vulnerable endpoint.

Q: What is the severity of CVE-2024-55461?

CVE-2024-55461 has a CVSS score of 9.8 (CRITICAL). SeaCMS versions up to 13.0 contain a command injection vulnerability in phome.php through the Ebak_RepPathFiletext() function. This allows attackers to execute arbitrary commands on the server with the privileges of the web server process. All SeaCMS installations running vulnerable versions are affected.

📋 TL;DR

SeaCMS versions up to 13.0 contain a command injection vulnerability in phome.php through the Ebak_RepPathFiletext() function. This allows attackers to execute arbitrary commands on the server with the privileges of the web server process. All SeaCMS installations running vulnerable versions are affected.

💻 Affected Systems

Products:

SeaCMS

Versions: <= 13.0

Operating Systems: Any OS running SeaCMS (typically Linux/Windows web servers)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of SeaCMS <= 13.0 are vulnerable. The vulnerability is in core code and doesn't require special configuration.

📦 What is this software?

Seacms by Seacms

View all CVEs affecting Seacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to install backdoors, steal sensitive data, deface websites, or use the server for malicious activities.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and input validation are implemented, though command execution would still be possible.

🌐 Internet-Facing: HIGH - The vulnerability is in a web application component and can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external exposure poses greater risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears to be publicly documented with technical details available. Command injection vulnerabilities are typically easy to exploit once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updates

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for official SeaCMS updates beyond version 13.0. 2. If patch exists, backup your site. 3. Apply the update following SeaCMS documentation. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Disable or restrict phome.php access

all

Temporarily block access to the vulnerable phome.php file while awaiting patch

# For Apache: Add to .htaccess
<Files "phome.php">
    Order allow,deny
    Deny from all
</Files>
# For Nginx: Add to server block
location ~ /phome\.php$ {
    deny all;
    return 403;
}

Input validation hardening

all

Add input validation to filter command injection attempts

# Add to phome.php before Ebak_RepPathFiletext() call
function sanitize_input($input) {
    $dangerous = array(';', '|', '&', '`', '$', '(', ')', '{', '}', '[', ']', '>', '<', '\n', '\r');
    return str_replace($dangerous, '', $input);
}

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block command injection patterns
Restrict network access to SeaCMS administration interfaces and limit to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if SeaCMS version is <= 13.0 and if phome.php exists and contains Ebak_RepPathFiletext() function

Check Version:

# Check SeaCMS version
cat /path/to/seacms/version.txt || grep -r 'SeaCMS' /path/to/seacms/ | grep -i version

Verify Fix Applied:

Test the vulnerable endpoint with safe payloads (like 'echo test') to confirm command execution is no longer possible

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to phome.php with shell metacharacters
Web server logs showing command execution patterns in URLs/parameters
System logs showing web server process spawning unexpected child processes

Network Indicators:

HTTP requests containing shell commands in parameters
Outbound connections from web server to unexpected destinations

SIEM Query:

source="web_server_logs" AND (url="*phome.php*" AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*"))

📊 Metadata

CVE ID: CVE-2024-55461

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 18, 2024

Last Updated: March 28, 2025

🔗 References

https://gitee.com/FengFu01/sea/issues/IB8S1N Exploit,Issue Tracking,Third Party Advisory
https://gitee.com/FengFu01/sea/issues/IB8S1N Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55461, you might also want to check these: