CVE-2024-32640
Published: 11 August 2025
Summary
CVE-2024-32640 is a critical-severity SQL Injection (CWE-89) vulnerability in Projectdiscovery (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
MASA CMS is an open source enterprise content management platform affected by a SQL injection vulnerability in the processAsyncObject method. The flaw exists in versions prior to 7.4.5, 7.3.12, and 7.2.7 and is tracked as CWE-89 with a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply crafted input to the vulnerable method and achieve arbitrary code execution on the server, resulting in full compromise of the confidentiality, integrity, and availability of the CMS instance.
The maintainers have published fixes in the referenced releases along with commits that close the injection vector; the accompanying GitHub security advisory recommends immediate upgrade for all prior versions.
A public proof-of-concept exploit targeting the issue is available, and the vulnerability carries a sustained high EPSS score of 0.9372.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30442
Vulnerability details
MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and…
more
7.2.7 contain a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing CMS directly enables remote exploitation (T1190) leading to unauthenticated RCE (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection attacks like CVE-2024-32640 by enforcing validation of all inputs to the processAsyncObject method, blocking malicious SQL payloads.
Mandates timely identification, testing, and patching of flaws such as this SQL injection vulnerability, aligning with the vendor's fix in versions 7.4.5, 7.3.12, and 7.2.7.
Requires vulnerability scanning that identifies SQL injection flaws like CVE-2024-32640, enabling proactive remediation before remote code execution can occur.