Cyber Resilience

CVE-2024-32641

CriticalPublic PoCRCE

Published: 03 December 2025

Published
03 December 2025
Modified
05 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0184 83.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32641 is a critical-severity Code Injection (CWE-94) vulnerability in Masacms Masacms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-32641 is a remote code execution vulnerability affecting Masa CMS, an open source Enterprise Content Management platform. Versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable due to improper handling of user input in the addParam function. Specifically, the criteria parameter accepts unsanitized input that is passed to setDynamicContent for evaluation, enabling arbitrary code execution through the m tag. The issue is classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious criteria parameter, the attacker triggers code evaluation in setDynamicContent, achieving full remote code execution on the server. This grants high confidentiality, integrity, and availability impacts, potentially allowing full system compromise.

The vulnerability is patched in Masa CMS versions 7.2.8, 7.3.13, and 7.4.6. Security practitioners should upgrade to these versions immediately. Additional details are available in the GitHub security advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm and the patching commit at https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6.

EU & UK References

Vulnerability details

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter.…

more

This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-32641 enables unauthenticated remote code execution in the public-facing Masa CMS web application via unsanitized input leading to code evaluation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

masacms
masacms
≤ 7.2.8 · 7.3 — 7.3.13 · 7.4.0 — 7.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching Masa CMS to versions 7.2.8, 7.3.13, or 7.4.6 directly eliminates the improper input handling in addParam that enables remote code execution.

prevent

Validating the criteria parameter with organization-defined tools and procedures prevents unsanitized user input from being evaluated by setDynamicContent, blocking arbitrary code execution via the m tag.

preventdetect

Boundary protection via web application firewalls monitors and controls inbound traffic, blocking or alerting on malicious criteria payloads attempting code injection exploits.

References