{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/craftcms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["craftcms","rce","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCraft CMS versions 5.6.0 through 5.9.12 are susceptible to a remote code execution (RCE) vulnerability (CVE-2026-33157) that bypasses previous security measures implemented to prevent similar attacks. The vulnerability stems from the \u003ccode\u003eElementIndexesController::actionFilterHud()\u003c/code\u003e function, where the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter is passed directly to \u003ccode\u003eFieldLayout::createFromConfig()\u003c/code\u003e without proper sanitization. Any authenticated user with control panel access (\u003ccode\u003eaccessCp\u003c/code\u003e permission) can exploit this flaw by injecting malicious behaviors into the \u003ccode\u003efieldLayouts\u003c/code\u003e configuration. This oversight allows attackers to execute arbitrary code on the server, potentially leading to complete system compromise. Defenders need to implement mitigations to detect and prevent exploitation of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with control panel access crafts a malicious HTTP request.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efieldLayouts\u003c/code\u003e array with a configuration containing \u003ccode\u003e\u0026quot;as \u0026lt;name\u0026gt;\u0026quot;\u003c/code\u003e prefixed keys within the request body to the \u003ccode\u003e/admin/element-indexes/filter-hud\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eElementIndexesController::actionFilterHud()\u003c/code\u003e receives the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efieldLayouts\u003c/code\u003e parameter is passed to \u003ccode\u003eFieldLayout::createFromConfig($config)\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eFieldLayout::createFromConfig($config)\u003c/code\u003e invokes \u003ccode\u003eModel::__construct($config)\u003c/code\u003e, which processes each key in the configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e\u0026quot;as rce\u0026quot;\u003c/code\u003e key triggers \u003ccode\u003eComponent::__set(\u0026quot;as rce\u0026quot;, $value)\u003c/code\u003e, which leads to the instantiation of \u003ccode\u003eAttributeTypecastBehavior\u003c/code\u003e and its attachment to the FieldLayout via \u003ccode\u003eYii::createObject($value)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn \u003ccode\u003e\u0026quot;on *\u0026quot;\u003c/code\u003e key registers a wildcard event handler. Subsequently, \u003ccode\u003eparent::__construct()\u003c/code\u003e is called followed by \u003ccode\u003einit()\u003c/code\u003e -\u0026gt; \u003ccode\u003esetTabs([])\u003c/code\u003e -\u0026gt; \u003ccode\u003egetAvailableNativeFields()\u003c/code\u003e -\u0026gt; \u003ccode\u003etrigger(EVENT_DEFINE_NATIVE_FIELDS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe wildcard handler fires, triggering \u003ccode\u003eAttributeTypecastBehavior::beforeSave()\u003c/code\u003e -\u0026gt; \u003ccode\u003etypecastAttributes()\u003c/code\u003e. The vulnerability results in \u003ccode\u003e$this-\u0026gt;owner-\u0026gt;typecastBeforeSave\u003c/code\u003e being resolved via \u003ccode\u003eComponent::__get()\u003c/code\u003e which returns the command string from the behavior\u0026rsquo;s own property, finally reaching \u003ccode\u003ecall_user_func([ConsoleProcessus::class, 'execute'], $command)\u003c/code\u003e -\u0026gt; \u003ccode\u003eshell_exec($command)\u003c/code\u003e enabling remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user with control panel access to execute arbitrary code on the Craft CMS server. Successful exploitation can lead to complete system compromise, including data theft, modification, or destruction. This RCE vulnerability can have significant impacts on organizations using affected versions of Craft CMS (5.6.0 through 5.9.12).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts by monitoring for HTTP requests to \u003ccode\u003e/admin/element-indexes/filter-hud\u003c/code\u003e with the \u003ccode\u003efieldLayouts\u003c/code\u003e parameter in the request body (see Sigma rule \u0026ldquo;Craft CMS RCE Attempt via ElementIndexesController\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply available patches or upgrade to a non-vulnerable version of Craft CMS (versions prior to 5.6.0 or later than 5.9.12).\u003c/li\u003e\n\u003cli\u003eRestrict access to the control panel to only trusted users with a legitimate need, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Craft CMS configurations for any suspicious behavior or event injections.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003eElementIndexesController\u003c/code\u003e and \u003ccode\u003eFieldLayout\u003c/code\u003e components, focusing on POST requests containing potentially malicious configurations (see Sigma rule \u0026ldquo;Craft CMS RCE - AttributeTypecastBehavior\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T16:50:42Z","date_published":"2026-03-24T16:50:42Z","id":"/briefs/2024-01-18-craftcms-rce/","summary":"A remote code execution vulnerability exists in Craft CMS versions 5.6.0 through 5.9.12, where any authenticated user with control panel access can exploit the vulnerability by injecting malicious behavior via the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` due to the unsanitized parameter being passed to `FieldLayout::createFromConfig()`.","title":"Craft CMS Authenticated Remote Code Execution via Malicious Attached Behavior","url":"https://feed.craftedsignal.io/briefs/2024-01-18-craftcms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Craftcms","version":"https://jsonfeed.org/version/1.1"}