Cyber Posture

CVE-2024-32640

Critical

Published: 11 August 2025

Published
11 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9372 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32640 is a critical-severity SQL Injection (CWE-89) vulnerability in Projectdiscovery (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection attacks like CVE-2024-32640 by enforcing validation of all inputs to the processAsyncObject method, blocking malicious SQL payloads.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, testing, and patching of flaws such as this SQL injection vulnerability, aligning with the vendor's fix in versions 7.4.5, 7.3.12, and 7.2.7.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Requires vulnerability scanning that identifies SQL injection flaws like CVE-2024-32640, enabling proactive remediation before remote code execution can occur.

NVD Description

MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and…

more

7.2.7 contain a fix for the issue.

Deeper analysisAI

CVE-2024-32640 is a SQL injection vulnerability in the `processAsyncObject` method of MASA CMS, an open-source Enterprise Content Management platform. It affects versions prior to 7.4.5, 7.3.12, and 7.2.7, potentially allowing remote code execution. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact remote code execution, enabling full compromise of the affected system including confidentiality, integrity, and availability violations.

Mitigation involves upgrading to MASA CMS versions 7.4.5, 7.3.12, or 7.2.7, which include fixes for the issue as detailed in GitHub commits such as 259fc6061d022d5025a3289a3f8de9852ad9c91d, 280489e2d6c8daf5022fdb0225235462dd9d4534, and 3d6319b8775bb6438bc822d845926990511f5075, along with the security advisory at GHSA-24rr-gwx3-jhqc.

Details

CWE(s)
CWE-89

Affected Products

Projectdiscovery
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2094Shared CWE-89
CVE-2023-37777Shared CWE-89
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-23492Shared CWE-89
CVE-2024-12016Shared CWE-89
CVE-2025-26200Shared CWE-89
CVE-2019-25541Shared CWE-89
CVE-2024-57629Shared CWE-89
CVE-2019-25699Shared CWE-89

References