CVE-2024-56145
Published: 18 December 2024
Summary
CVE-2024-56145 is a critical-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
Craft CMS is affected by a remote code execution vulnerability when the PHP configuration directive register_argc_argv is enabled in php.ini. The flaw, tracked as CWE-94, impacts versions prior to 3.9.14, 4.13.2, and 5.5.2 and permits an unspecified code injection path that can be reached over the network.
Unauthenticated remote attackers can exploit the issue to execute arbitrary code on the server, achieving full confidentiality, integrity, and availability impact as reflected in the CVSS 9.3 rating with no required privileges or user interaction.
Advisories and patches direct users to upgrade to the fixed releases listed above; operators unable to patch immediately should disable register_argc_argv to remove the attack surface. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, a public proof-of-concept has been published, and the EPSS score has reached 0.94.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3545
Vulnerability details
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution…
more
vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
- CWE(s)
- KEV Date Added
- 02 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches (3.9.14/4.13.2/5.5.2) that close the register_argc_argv RCE vector.
Mandates explicit configuration settings that disable register_argc_argv in php.ini, eliminating the precondition for the exploit.
Enforces least-functionality by removing the unnecessary argc/argv argument-passing capability that the vulnerability abuses.