CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-56145

CVSS 9.3v4.0pub. 2024-12-18upd. 2025-10-24

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Craftcms Craft Cms

    APP
    Craftcms
    3.0.0 – 3.9.14 (bez)4.0.0 – 4.13.2 (bez)5.0.0 – 5.5.2 (bez)

CISA KEV — detailsi

Vendori
Craft CMS
Producti
Craft CMS
Added to KEVi
June 2, 2025
Remediation deadline (US Federal)i
June 23, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 23 czerwca 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-32432CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Krytyczny RCE w Craft CMS — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2026-28697CRITICAL9.4PL ✓ten sam produkt

Craft CMS: RCE przez SSTI w polach szablonów Twig

CVE-2026-28783CRITICAL9.4PL ✓ten sam produkt

Craft CMS: obejście bloklisty PHP w silniku Twig umożliwia RCE

CVE-2024-37843CRITICAL9.8PL ✓ten sam produkt

SQL injection w Craft CMS przez endpoint GraphQL API

CVE-2023-41892CRITICAL10.0ten sam produkt

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector....