[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2024-56145 and CVE-2025-35939: Multiple Vulnerabilities with Craft CMS software

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Jun 2 14:08:08 PDT 2025 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2024-56145 and CVE-2025-35939: Multiple Vulnerabilities with Craft CMS software. Due to its high visibility, we are providing this in-depth information:

History: On April 30,2025, it was publicly disclosed that there were multiple vulnerabilities with the Craft CMS software.  CVE-2024-56145 was assigned a CVE on December 19, 2024, and subsequently assigned a CVSSv3 score of 9.3 (Critical) by GitHub and CVE-2025-35939 was assigned a CVE number on May 8, 2025, and was subsequently assigned a CVSSv3 score of 6.9 (Medium) by CISA. NIST has yet to provide a CVSSv3 score as of June 2, 2025.

Affected products, version:

  *   CVE-2024-56145: > = 5.0.0-RC-1, 5.5.2, > = 4.0.0-RC1, 4.13.2, > = 3.0.0, < 3.9.14
  *   CVE-2025-35939: > = 5.0.0-alpha, < 5.7.5 and < 4.15.3


Updated version:

  *   CVE-2024-56145: 5.5.2, 4.13.2, 3.9.14
  *   CVE-2025-35939: 5.7.5 and 4.15.3

For more information from wiz.io, please see the link here:

https://www.wiz.io/vulnerability-database/cve/cve-2024-56145
https://www.wiz.io/vulnerability-database/cve/cve-2025-35939

Intelligence As of June 2, 2025, CISA has confirmed these vulnerabilities are being exploited in the wild and has added the vulnerability to the Known Exploited Vulnerabilities Catalog. CVE-2024-56145 is s a critical remote code execution (RCE) vulnerability affecting Craft CMS, a flexible, user-friendly content management system. CVE-2025-35939 allows unauthenticated users to store arbitrary content in session files on the server..This information seems a bit redundant since it is covered in the How it works and Post-Exploit sections.

Workarounds: There is a work around for CVE-2024-56145. Without affecting business operations, disable the register_argc_argv configuration in php.ini.

How it works: Below is information on how these exploits work:


  *   CVE-2024-56145: The vulnerability exists in the bootstrap/bootstrap.php file of Craft CMS, where command-line options are processed without verifying whether the code is running in a CLI environment. The flaw leverages the behavior of the registerargcargv PHP configuration, which allows query string arguments to populate the $_SERVER['argv'] array, mimicking command-line input. This mechanism allows unauthenticated clients to introduce arbitrary values, including PHP code, into session files without proper sanitization


  *   CVE-2025-35939: The issue stems from improper parameter sanitization when handling return URLs. Specifically, the system generates session files at `/var/lib/php/sessions` with names `sess_[session_value]`, where an attacker can potentially inject malicious content.

Post-Exploit: Upon successful exploitation of the vulnerability, the following activity can take place:

CVE-2024-56145: Potentially enabling attackers to execute arbitrary code on the server.

CVE-2025-35939: An unauthenticated attacker could potentially inject arbitrary values, including PHP code, into a known local file location on the server. This could lead to potential remote code execution or manipulation of server-side session files, compromising the integrity of the web application.

As of June 2, 2025, Tenable has released the following plugin for CVE-2024-56145:

Plugin ID
Plugin Name
Platform
114614<https://www.tenable.com/plugins/was/114614>
CraftCMS < 4.13.2 / 5.x < 5.5.2 Remote Code Execution
Web Application Scanning

As of June 2, 2025, Tenable has not released plugins for CVE-2025-35939.

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image004.png at 01DBD3C5.17BE3100]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250602/a8ceb353/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 21907 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250602/a8ceb353/attachment-0001.png>

More information about the CDP-development mailing list