Back to KEVs

CVE-2024-56145

RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms

Basic Information

CVE State: PUBLISHED
Reserved Date: December 16, 2024
Published Date: December 18, 2024
Last Updated: June 06, 2025
Vendor: craftcms
Product: cms
Description: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
Tags

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

Score: 94.03% (Percentile: 99.88%) as of 2025-06-14

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-30 00:00:00 UTC) Source
Seen in APT Campaigns: Yes (added 2025-05-30 00:00:00 UTC) (Earth Lamia) Source

References

https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

Known Exploited Vulnerability Information

Source	Added Date
TrendMicro	2025-05-30 00:00:00 UTC

Recent Mentions

CISA Adds Five Known Exploited Vulnerabilities to Catalog

Source: All CISA Advisories • Published: 2025-06-02 12:00:00 UTC

CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability CVE-2024-56145 Craft CMS Code Injection Vulnerability CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Please share your thoughts with us through our anonymous survey. We appreciate your feedback.

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_ftp_template.rb	2025-04-29 11:01:12 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-56145.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Timeline

CVE ID Reserved

December 16, 2024
CVE Published to Public

December 18, 2024
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025
Used in Earth Lamia APT Campaign

May 30, 2025
Added to KEVIntel

May 30, 2025