CVE-2024-57763
📋 TL;DR
This CVE describes a fastjson deserialization vulnerability in MSFM that allows remote code execution by sending malicious payloads to the system/table/addField endpoint. Attackers can exploit this to execute arbitrary code on affected systems. All systems running MSFM before version 2025.01.01 are vulnerable.
💻 Affected Systems
- MSFM
📦 What is this software?
Mysiteforme by Wangl1989
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to web server compromise, data exfiltration, and lateral movement within the network.
If Mitigated
Exploitation blocked by network segmentation, WAF rules, or input validation preventing malicious payloads.
🎯 Exploit Status
Fastjson deserialization vulnerabilities are well-understood with existing exploit frameworks. The public issue tracker contains technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.01.01
Vendor Advisory: https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVFD
Restart Required: Yes
Instructions:
1. Download MSFM version 2025.01.01 or later from the official repository. 2. Replace all existing MSFM files with the updated version. 3. Restart the MSFM service or application server.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the system/table/addField endpoint via web server configuration or firewall rules
# For Apache: RewriteRule ^/system/table/addField - [F]
# For Nginx: location ~ ^/system/table/addField { deny all; }
Input validation filter
allImplement request filtering to block malicious fastjson payloads
# WAF rule to block suspicious JSON patterns
# Example ModSecurity rule: SecRule REQUEST_BODY "@rx \\"@type\\"" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MSFM instances from critical systems
- Deploy a web application firewall with rules specifically targeting fastjson deserialization patterns
🔍 How to Verify
Check if Vulnerable:
Check if MSFM version is below 2025.01.01 and if the system/table/addField endpoint is accessibleCheck Version:
Check MSFM configuration files or application metadata for version informationVerify Fix Applied:
Verify MSFM version is 2025.01.01 or higher and test that the system/table/addField endpoint rejects malicious fastjson payloads📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /system/table/addField
- Java deserialization errors in application logs
- Suspicious Java class loading events
Network Indicators:
- HTTP POST requests to /system/table/addField containing @type or $ref patterns
- Outbound connections from MSFM to unexpected destinations
SIEM Query:
source="web_logs" AND uri="/system/table/addField" AND (body="@type" OR body="$ref")