Researcher to release PoC exploit for critical Craft CMS RCE (CVE-2023-41892) bug

In the ever-evolving realm of cybersecurity, every new day seems to bring with it another headline of a fresh exploit. This time, Craft CMS, the increasingly popular choice for developers and businesses, finds itself in the crosshairs. With the release of a proof-of-concept (PoC) exploit code for a critical CVE-2023-41892 vulnerability allowing remote code execution, the platform’s users have been urged to exercise caution.

Craft CMS, known for its versatility and the ease it provides in creating custom digital experiences, has garnered significant appreciation. Leveraging the power of the Yii 2 PHP framework and integrating Twig for templating, it stands tall as a testament to user-centricity in the CMS world.

What makes a vulnerability truly haunting is not just its capacity to wreak havoc, but also its ease of exploitation. And CVE-2023-41892 checks all the boxes. This pre-auth RCE flaw is the outcome of an oversight in Craft installations. In layman’s terms, a remote attacker, without needing any authentication, can send a specially crafted request to a Craft CMS server, allowing them to run their own code.

But here’s the clincher. On the Common Vulnerability Scoring System (CVSS) — a standardized measure of the severity of vulnerabilities — it’s been scored a perfect 10 out of 10. This perfect score highlights the fact that the vulnerability is not just trivial to exploit but can also be executed remotely, making it a golden ticket for any attacker.

On delving into the details, @THANHC, a security researcher, shone a light on the cause. He noted that while the pre-auth attack surface of CraftCMS is usually restricted, a particular class (the `\craft\controllers\ConditionsController`) had an intriguing `beforeAction` method. The flaw? It had something to do with object creation. After dissecting the code, the researcher verified that this endpoint enabled attackers to forge any object.

But the alarm bells truly started ringing when another researcher, @nguyendt016, announced the development of a proof-of-concept (PoC) exploit for the CVE-2023-41892 vulnerability.

For those vested in Craft CMS, there are mitigating steps you can take to shield yourself:

1. Update: Upgrade to Craft 4.4.15. This version patches the vulnerability.
2. Renew Security Key: Given the potential that your security key might have been captured, renew it by using the `php craft setup/security-key` command. Ensure this updated key is reflected in all production environments.
3. Refresh Private Keys: If you have other private keys stored as environment variables (like for S3 or Stripe), refresh those keys.
4. Reset Passwords: Compel all users to reset their passwords out of prudence. This can be initiated using `php craft resave/users –set passwordResetRequired –to “fn() => true”`.