CVE-2024-58280 – CMSimple 5.15 contains a remote command executi... (How to Fix)

Q: What is the severity of CVE-2024-58280?

CVE-2024-58280 has a CVSS score of 8.8 (HIGH). CMSimple 5.15 contains a remote command execution vulnerability where authenticated attackers can modify file extension settings to upload malicious PHP files. This allows execution of arbitrary code on the server. All CMSimple 5.15 installations with authenticated user access are affected.

📋 TL;DR

CMSimple 5.15 contains a remote command execution vulnerability where authenticated attackers can modify file extension settings to upload malicious PHP files. This allows execution of arbitrary code on the server. All CMSimple 5.15 installations with authenticated user access are affected.

💻 Affected Systems

Products:

CMSimple

Versions: 5.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; default installations are vulnerable

📦 What is this software?

Cmsimple by Cmsimple

View all CVEs affecting Cmsimple →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete system takeover

🟠

Likely Case

Webshell installation enabling persistent backdoor access, data exfiltration, and lateral movement

🟢

If Mitigated

Limited impact if proper file upload restrictions and user access controls are implemented

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is straightforward to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available; upgrade to a newer version if available or implement workarounds

🔧 Temporary Workarounds

Restrict file upload extensions

all

Modify CMSimple configuration to restrict allowed file extensions and prevent PHP file uploads

Edit config.php or relevant configuration files to remove 'php' from allowed extensions

Web server file type restrictions

all

Configure web server to block execution of PHP files in upload directories

For Apache: Add 'php_flag engine off' to .htaccess in media directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to server block

🧯 If You Can't Patch

Restrict authenticated user access to minimum required permissions
Implement web application firewall rules to block suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if running CMSimple 5.15 and verify if PHP files can be uploaded to media directory

Check Version:

Check CMSimple version in admin panel or version.php file

Verify Fix Applied:

Attempt to upload a PHP file to media directory; should be blocked or not execute

📡 Detection & Monitoring

Log Indicators:

File uploads with .php extension to media directory
Configuration changes to Extensions_userfiles
Unusual authenticated user activity

Network Indicators:

POST requests to file upload endpoints with PHP content
HTTP requests to newly uploaded PHP files

SIEM Query:

source="web_logs" AND (uri="*upload*" AND file_extension="php") OR (uri="*/media/*.php")

📊 Metadata

CVE ID: CVE-2024-58280

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-403

EPSS Score: 0.36% exploit probability (57.7th percentile)

Published: December 10, 2025

Last Updated: December 31, 2025

🔗 References

https://www.cmsimple.org Product
https://www.cmsimple.org/downloads_cmsimple50/CMSimple_5-15.zip Product
https://www.exploit-db.com/exploits/52040 Exploit
https://www.vulncheck.com/advisories/cmsimple-remote-command-execution-via-extensions-configuration Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58280, you might also want to check these: