Cyber Resilience

CVE-2024-56145

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 18 December 2024

Published
18 December 2024
Modified
24 October 2025
KEV Added
02 June 2025
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9393 99.9th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56145 is a critical-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

Craft CMS is affected by a remote code execution vulnerability when the PHP configuration directive register_argc_argv is enabled in php.ini. The flaw, tracked as CWE-94, impacts versions prior to 3.9.14, 4.13.2, and 5.5.2 and permits an unspecified code injection path that can be reached over the network.

Unauthenticated remote attackers can exploit the issue to execute arbitrary code on the server, achieving full confidentiality, integrity, and availability impact as reflected in the CVSS 9.3 rating with no required privileges or user interaction.

Advisories and patches direct users to upgrade to the fixed releases listed above; operators unable to patch immediately should disable register_argc_argv to remove the attack surface. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, a public proof-of-concept has been published, and the EPSS score has reached 0.94.

EU & UK References

Vulnerability details

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution…

more

vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

CWE(s)
KEV Date Added
02 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

craftcms
craft cms
3.0.0 — 3.9.14 · 4.0.0 — 4.13.2 · 5.0.0 — 5.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches (3.9.14/4.13.2/5.5.2) that close the register_argc_argv RCE vector.

prevent

Mandates explicit configuration settings that disable register_argc_argv in php.ini, eliminating the precondition for the exploit.

prevent

Enforces least-functionality by removing the unnecessary argc/argv argument-passing capability that the vulnerability abuses.

References