CVE-2024-56145
📋 TL;DR
CVE-2024-56145 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. Users are affected if they run vulnerable Craft CMS versions with PHP's register_argc_argv setting enabled. This vulnerability has a CVSS score of 9.8 and is being actively exploited.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to website defacement, data theft, or deployment of ransomware.
If Mitigated
No impact if register_argc_argv is disabled or systems are patched.
🎯 Exploit Status
Exploit code is publicly available and CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.14, 4.13.2, or 5.5.2 depending on your Craft CMS version
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
Restart Required: No
Instructions:
1. Identify your Craft CMS version. 2. Update to the appropriate patched version: 3.x → 3.9.14, 4.x → 4.13.2, 5.x → 5.5.2. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable register_argc_argv in PHP
allDisables the PHP setting that enables this vulnerability
Edit php.ini and set: register_argc_argv = Off
Restart PHP service: sudo systemctl restart php-fpm (or your PHP service)
🧯 If You Can't Patch
- Disable register_argc_argv in PHP configuration immediately
- Implement web application firewall rules to block suspicious requests to Craft CMS endpoints
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or check composer.json for version. Also verify php.ini has register_argc_argv = On.Check Version:
Check Craft CMS admin panel or run: php craft/about (from Craft root directory)Verify Fix Applied:
Confirm Craft CMS version is 3.9.14, 4.13.2, or 5.5.2 or higher. Verify register_argc_argv is disabled in php.ini.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Craft CMS endpoints
- Suspicious PHP execution attempts in web server logs
- Unexpected file creation in Craft directories
Network Indicators:
- HTTP requests with unusual parameters to Craft CMS paths
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_server" AND (uri_path="*/index.php*" OR uri_path="*/craft*" OR uri_path="*/admin*") AND (http_method="POST" OR parameters CONTAINS suspicious_patterns)