CVE-2024-58280
Published: 10 December 2025
Summary
CVE-2024-58280 is a high-severity File Descriptor Leak (CWE-403) vulnerability in Cmsimple Cmsimple. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in CMSimple 5.15 that allows authenticated attackers to append ',php' to Extensions_userfiles and upload executable shells.
Restricts low-privilege authenticated users from modifying the vulnerable Extensions_userfiles configuration setting.
Enforces least privilege to prevent low-privilege users from accessing functions that alter file extension controls or upload executable files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing CMSimple CMS allows authenticated low-privilege users to bypass file extension controls and upload PHP web shells for remote command execution, directly facilitating T1190 (Exploit Public-Facing Application) and T1100 (Web Shell).
NVD Description
CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code…
more
on the server.
Deeper analysisAI
CMSimple 5.15, a content management system, is affected by CVE-2024-58280, a remote command execution vulnerability stemming from CWE-403 (Exposure of File Descriptor or Handle to an Unauthorized Control Sphere). The flaw enables authenticated attackers to manipulate file extension controls by appending ',php' to the Extensions_userfiles configuration, allowing the upload of malicious PHP files, such as shell scripts, to the media directory. This results in arbitrary code execution on the server, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated users with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants attackers high-impact confidentiality, integrity, and availability compromises, including full server-side code execution via uploaded PHP shells in the media directory.
Advisories and related resources include a VulnCheck advisory detailing the remote command execution via extensions configuration, an Exploit-DB entry (52040) providing a public proof-of-concept, and CMSimple's official site with a download link for version 5.15, the affected release. No specific patch or mitigation details are outlined in the available references.
Details
- CWE(s)