CVE-2024-56145 is a critical vulnerability in CraftCMS, a popular content management system used for building custom digital experiences. The vulnerability is classified under CWE-94, indicating improper control of code generation, commonly known as code injection. It specifically affects CraftCMS versions 3.0.0 up to but not including 3.9.14, versions 4.0.0-RC1 up to 4.13.2, and versions 5.0.0-RC1 up to 5.5.2. The root cause is linked to the PHP configuration directive register_argc_argv being enabled, which allows the passing of command-line arguments to PHP scripts. When enabled, this setting can be abused by attackers to inject and execute arbitrary PHP code remotely without authentication or user interaction. The vulnerability enables remote code execution (RCE), which can lead to full system compromise, data theft, or service disruption. The CVSS 4.0 base score is 9.3 (critical), reflecting its high impact and ease of exploitation. No known exploits are reported in the wild yet, but the severity and nature of the flaw make it a prime target for attackers. The vendor has released patched versions 3.9.14, 4.13.2, and 5.5.2 to address this issue. Users unable to upgrade immediately are advised to disable register_argc_argv in their php.ini configuration as a temporary mitigation.

The impact of CVE-2024-56145 is severe for organizations using vulnerable versions of CraftCMS with register_argc_argv enabled. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in data breaches, defacement, ransomware deployment, or pivoting to internal networks. The vulnerability threatens confidentiality, integrity, and availability of affected systems. Organizations hosting sensitive or critical web applications on CraftCMS are at high risk. Given the ease of exploitation and lack of required authentication, widespread scanning and attacks could occur rapidly once exploit code becomes available. The vulnerability also undermines trust in affected websites and can cause significant operational and reputational damage.

1. Immediately upgrade CraftCMS installations to the fixed versions: 3.9.14, 4.13.2, or 5.5.2 as applicable. 2. If upgrading is not feasible in the short term, disable the PHP configuration directive register_argc_argv by setting 'register_argc_argv = Off' in php.ini and restarting the web server. 3. Restrict access to administrative and sensitive endpoints using network-level controls such as firewalls or VPNs. 4. Monitor web server logs and application logs for suspicious activity indicative of code injection attempts. 5. Employ web application firewalls (WAFs) with updated rules to detect and block exploitation attempts targeting this vulnerability. 6. Conduct thorough security audits and penetration testing post-remediation to ensure no residual compromise. 7. Educate development and operations teams about secure PHP configurations and the risks of enabling unnecessary directives like register_argc_argv.