Cyber Resilience

CVE-2024-32640

Critical

Published: 11 August 2025

Published
11 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9372 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32640 is a critical-severity SQL Injection (CWE-89) vulnerability in Projectdiscovery (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

MASA CMS is an open source enterprise content management platform affected by a SQL injection vulnerability in the processAsyncObject method. The flaw exists in versions prior to 7.4.5, 7.3.12, and 7.2.7 and is tracked as CWE-89 with a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can supply crafted input to the vulnerable method and achieve arbitrary code execution on the server, resulting in full compromise of the confidentiality, integrity, and availability of the CMS instance.

The maintainers have published fixes in the referenced releases along with commits that close the injection vector; the accompanying GitHub security advisory recommends immediate upgrade for all prior versions.

A public proof-of-concept exploit targeting the issue is available, and the vulnerability carries a sustained high EPSS score of 0.9372.

EU & UK References

Vulnerability details

MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and…

more

7.2.7 contain a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

SQL injection in public-facing CMS directly enables remote exploitation (T1190) leading to unauthenticated RCE (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53595Shared CWE-89
CVE-2026-39815Shared CWE-89
CVE-2024-55460Shared CWE-89
CVE-2026-44863Shared CWE-89
CVE-2025-53475Shared CWE-89
CVE-2025-11165Shared CWE-89
CVE-2024-56804Shared CWE-89
CVE-2025-36588Shared CWE-89
CVE-2026-44864Shared CWE-89
CVE-2025-29893Shared CWE-89

Affected Assets

Projectdiscovery
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection attacks like CVE-2024-32640 by enforcing validation of all inputs to the processAsyncObject method, blocking malicious SQL payloads.

prevent

Mandates timely identification, testing, and patching of flaws such as this SQL injection vulnerability, aligning with the vendor's fix in versions 7.4.5, 7.3.12, and 7.2.7.

detect

Requires vulnerability scanning that identifies SQL injection flaws like CVE-2024-32640, enabling proactive remediation before remote code execution can occur.

References