Cyber Resilience

CVE-2024-57169

CriticalPublic PoC

Published: 18 March 2025

Published
18 March 2025
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57169 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Soplanning Soplanning. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2024-57169 is a file upload bypass vulnerability in SOPlanning version 1.53.00, specifically affecting the /process/upload.php endpoint. This flaw allows remote attackers to circumvent upload restrictions, enabling the upload of malicious files that could lead to remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By bypassing file upload validations, attackers can upload web shells or other malicious payloads to the server, potentially achieving full remote code execution and compromising the affected SOPlanning instance.

Advisories detailing the vulnerability, including analysis of the arbitrary file upload leading to RCE, are available at https://themcsam.github.io/posts/so-planing-vulnerabilities/#arbitrary-file-upload-leading-to-rce.

EU & UK References

Vulnerability details

A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability is an arbitrary file upload bypass in a public-facing web app (enabling T1190) that directly allows deployment of web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

soplanning
soplanning
1.53.00

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses file upload bypass by validating uploaded files to ensure they are safe and reject dangerous types that could lead to RCE.

preventdetect

Scans and eradicates malicious code in uploaded files such as web shells, preventing exploitation for remote code execution.

prevent

Restricts file types and input characteristics to block unrestricted uploads of dangerous files beyond simple validation bypasses.

References