CVE-2024-56145

What is Craft CMS?

Craft CMS is a popular PHP content management system built on the Yii framework, used by businesses and agencies worldwide for website and web application management. See CVE-2025-23209 for the full product context on Craft CMS's deployment characteristics.

Overview

CVE-2024-56145 is a code injection vulnerability (CWE-94) in Craft CMS that allows remote code execution when the server's PHP configuration has register_argc_argv enabled — a non-default but not uncommon PHP setting. Unlike CVE-2025-23209 (which requires knowledge of the security key), this vulnerability can be triggered without authentication on misconfigured servers. The 6-month gap between the December 2024 patch and the June 2025 CISA KEV listing reflects that many unpatched Craft CMS installations with register_argc_argv enabled were being actively exploited throughout 2025.

Affected Versions

Technical Details

The code injection (CWE-94) exploits how PHP handles the register_argc_argv directive in combination with Craft CMS's routing. When register_argc_argv = On in php.ini, PHP makes the $_SERVER['argv'] array (command-line arguments) globally available. In a web context with this setting enabled, certain HTTP request parameters are misinterpreted as command-line arguments. Craft CMS uses the argv array in its console command handling — exploiting this allows an unauthenticated attacker to inject arbitrary console commands that execute on the server.

PHP configuration prerequisite: register_argc_argv defaults to Off in modern PHP installations but is On in some hosting environments and older configurations. The CVSS 9.8 (PR:N — no auth required) reflects that the vulnerability requires no credentials — only the PHP misconfiguration.

Relationship to other Craft CVEs:

• CVE-2024-56145 (this CVE, Dec 2024): Exploitable without authentication when register_argc_argv = On
• CVE-2025-23209 (Jan 2025): Requires low-privilege account + known security key
• CVE-2024-58136 (Yii CVE, Apr 2025): Framework-level alternate path bypass affecting Craft

The three CVEs represent an escalating research interest in Craft CMS's security boundaries throughout 2024–2025.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog on June 2, 2025 — six months after the patch. Organizations running unpatched Craft CMS on servers with register_argc_argv enabled (a common configuration in shared hosting environments using older PHP configurations) remained exposed throughout this period.

Remediation

1. Upgrade Craft CMS to 4.12.2 or 5.4.9 immediately. The CISA deadline was June 23, 2025.
2. Set register_argc_argv = Off in php.ini — this is the root cause configuration issue. Disabling it prevents the code injection even on unpatched Craft versions. Verify: php -i | grep register_argc_argv.
3. Apply all companion Craft CMS patches: CVE-2025-23209 (Jan 2025) and Yii CVE-2024-58136 (Apr 2025) — all three affect the same Craft/Yii ecosystem.
4. Protect php.ini from hosting environment changes that could re-enable register_argc_argv.
5. Audit web server access logs for unusual requests to the Craft admin endpoint that triggered server-side command execution.