Cyber Resilience

CVE-2024-46256

CriticalPublic PoCRCE

Published: 27 September 2024

Published
27 September 2024
Modified
03 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6015 98.3th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46256 is a critical-severity Command Injection (CWE-77) vulnerability in Jc21 Nginx Proxy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-46256 is a command injection vulnerability in NginxProxyManager version 2.11.3 that resides in the requestLetsEncryptSsl function within the backend certificate handling code. The flaw, tracked under CWE-77, permits remote code execution when an attacker triggers the Add Let's Encrypt Certificate workflow, and it carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with full confidentiality, integrity, and availability impact.

An unauthenticated attacker with network access to the management interface can supply crafted input during certificate provisioning to execute arbitrary commands on the host. Successful exploitation grants the attacker full remote code execution, enabling complete system compromise without requiring credentials or user interaction.

Public references include the vulnerable code path at backend/internal/certificate.js line 830, a corrective commit, and an associated pull request that address the injection issue, indicating that upgrading to a patched release is the intended mitigation.

A publicly available proof-of-concept exploit exists, and the CVE's EPSS score has reached a peak of 0.6860 with a current value of 0.6015, demonstrating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jc21
nginx proxy manager
2.11.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References