CVE-2024-58280

HighPublic PoC

Published: 10 December 2025

Published

10 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code…

on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the flaw in CMSimple 5.15 that allows authenticated attackers to append ',php' to Extensions_userfiles and upload executable shells.

CM-5 Access Restrictions for Change good match

prevent

Restricts low-privilege authenticated users from modifying the vulnerable Extensions_userfiles configuration setting.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent low-privilege users from accessing functions that alter file extension controls or upload executable files.

Security SummaryAI

CMSimple 5.15, a content management system, is affected by CVE-2024-58280, a remote command execution vulnerability stemming from CWE-403 (Exposure of File Descriptor or Handle to an Unauthorized Control Sphere). The flaw enables authenticated attackers to manipulate file extension controls by appending ',php' to the Extensions_userfiles configuration, allowing the upload of malicious PHP files, such as shell scripts, to the media directory. This results in arbitrary code execution on the server, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated users with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants attackers high-impact confidentiality, integrity, and availability compromises, including full server-side code execution via uploaded PHP shells in the media directory.

Advisories and related resources include a VulnCheck advisory detailing the remote command execution via extensions configuration, an Exploit-DB entry (52040) providing a public proof-of-concept, and CMSimple's official site with a download link for version 5.15, the affected release. No specific patch or mitigation details are outlined in the available references.

Details

CWE(s): CWE-403

Affected Products

cmsimple

5.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability in the public-facing CMSimple CMS allows authenticated low-privilege users to bypass file extension controls and upload PHP web shells for remote command execution, directly facilitating T1190 (Exploit Public-Facing Application) and T1100 (Web Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.cmsimple.org
Product · disclosure@vulncheck.com
https://www.cmsimple.org/downloads_cmsimple50/CMSimple_5-15.zip
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/52040
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/cmsimple-remote-command-execution-via-extensions-configuration
Third Party Advisory · disclosure@vulncheck.com