CVE-2024-6944 – This critical vulnerability in ZhongBangKeJi CR... (How to Fix)

Q: What is the severity of CVE-2024-6944?

CVE-2024-6944 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in ZhongBangKeJi CRMEB allows remote attackers to execute arbitrary code through deserialization of untrusted data in the get_image_base64 function. Affected systems include CRMEB versions up to 5.4.0, potentially enabling complete system compromise.

📋 TL;DR

This critical vulnerability in ZhongBangKeJi CRMEB allows remote attackers to execute arbitrary code through deserialization of untrusted data in the get_image_base64 function. Affected systems include CRMEB versions up to 5.4.0, potentially enabling complete system compromise.

💻 Affected Systems

Products:

ZhongBangKeJi CRMEB

Versions: Up to and including 5.4.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Crmeb by Crmeb

View all CVEs affecting Crmeb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, or steal sensitive data from the compromised system.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and input validation are in place to block exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require initial network access, reducing exposure compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 5.4.0 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add strict input validation to the get_image_base64 function to reject malicious serialized data

Modify PublicController.php to validate and sanitize the 'file' parameter before processing

WAF Rule Implementation

all

Deploy web application firewall rules to block deserialization attempts

Add WAF rules to detect and block patterns matching PHP object injection or serialized data in requests

🧯 If You Can't Patch

Isolate affected systems from internet access using network segmentation
Implement strict network monitoring and alerting for suspicious deserialization patterns

🔍 How to Verify

Check if Vulnerable:

Check CRMEB version in admin panel or by examining version files. If version is 5.4.0 or lower, system is vulnerable.

Check Version:

Check admin panel or examine files like version.php, readme.txt, or composer.json for version information

Verify Fix Applied:

Test the get_image_base64 endpoint with malicious serialized data to confirm it's rejected. Review code changes in PublicController.php.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to PublicController.php with serialized data in parameters
PHP errors related to unserialize() or object injection

Network Indicators:

HTTP requests containing serialized PHP objects (O: or a: patterns) in parameters
Unusual outbound connections from CRMEB server

SIEM Query:

source="web_logs" AND uri="*PublicController*" AND (param="*O:*" OR param="*a:*")

📊 Metadata

CVE ID: CVE-2024-6944

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-502

Published: July 21, 2024

Last Updated: January 3, 2025

🔗 References

https://gist.github.com/J1rrY-learn/93a0cf71894570f4eb39344161beb44c Broken Link
https://vuldb.com/?ctiid.272066 Permissions Required
https://vuldb.com/?id.272066 Permissions Required
https://vuldb.com/?submit.374413 Third Party Advisory
https://gist.github.com/J1rrY-learn/93a0cf71894570f4eb39344161beb44c Broken Link
https://vuldb.com/?ctiid.272066 Permissions Required
https://vuldb.com/?id.272066 Permissions Required
https://vuldb.com/?submit.374413 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6944, you might also want to check these: