CVE-2024-58279

HighPublic PoC

Published: 10 December 2025

Published

10 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading…

a crafted PHP file to the site's uploads directory.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the flaw in the filemanager upload endpoint of appRain CMF 4.0.5 that permits unrestricted uploading of malicious PHP files leading to RCE.

SI-10 Information Input Validation good match

prevent

Implements input validation mechanisms at the filemanager upload endpoint to detect and reject malicious PHP files, preventing exploitation of the unrestricted file upload vulnerability.

CM-6 Configuration Settings good match

prevent

Enforces secure web server configuration settings to disable PHP execution in the uploads directory, blocking RCE even if malicious files are uploaded.

Security SummaryAI

CVE-2024-58279 is an authenticated remote code execution vulnerability in appRain CMF 4.0.5. The flaw resides in the filemanager upload endpoint, which permits administrative users to upload malicious PHP files directly to the site's uploads directory, bypassing restrictions on dangerous file types (CWE-434). This issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility and low privilege requirements.

Attackers with valid administrative credentials can exploit the vulnerability by crafting and uploading a malicious PHP file through the filemanager endpoint. Successful exploitation allows them to establish a web shell in the uploads directory, granting remote command execution on the server. This enables full compromise of the affected system, including data exfiltration, persistence, or further lateral movement.

Advisories and references, including the VulnCheck advisory on apprain-cmf authenticated RCE via filemanager upload and an Exploit-DB entry (52041) with proof-of-concept exploit code, document the issue. The appRain project site and GitHub archive for v4.0.5 provide additional context on the vulnerable version, though no specific patches or mitigations are detailed in the available information.

Details

CWE(s): CWE-434

Affected Products

apprain

4.0.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Authenticated RCE via unrestricted file upload in a public-facing web app (T1190) directly facilitates deployment of a PHP web shell for remote command execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
Product · disclosure@vulncheck.com
https://www.apprain.org
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/52041
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/apprain-cmf-authenticated-remote-code-execution-via-filemanager-upload
Third Party Advisory · disclosure@vulncheck.com
https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
Product · 134c704f-9b21-4f2e-91b3-4a467353bcc0