{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2022-50944/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2022-50944"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Aero CMS 0.0.1"],"_cs_severities":["high"],"_cs_tags":["code-injection","php","web-application","cve-2022-50944"],"_cs_type":"threat","_cs_vendors":["MegaTKC"],"content_html":"\u003cp\u003eAero CMS 0.0.1 is susceptible to a PHP code injection vulnerability identified as CVE-2022-50944. This flaw allows authenticated attackers to inject and execute arbitrary PHP code on the affected server. The vulnerability is triggered by uploading a malicious PHP file through the \u003ccode\u003eimage\u003c/code\u003e parameter when adding or modifying a post. Specifically, an attacker can send a crafted request to the \u003ccode\u003e/admin/posts.php\u003c/code\u003e endpoint with the \u003ccode\u003esource=add_post\u003c/code\u003e parameter, containing PHP code embedded within an image file. Successful exploitation allows the attacker to gain remote code execution, potentially leading to full system compromise. This poses a significant risk to organizations using Aero CMS 0.0.1, as it could enable data theft, service disruption, or further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Aero CMS application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PHP file containing code to be executed on the server.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the \u003ccode\u003e/admin/posts.php\u003c/code\u003e endpoint with the \u003ccode\u003esource=add_post\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious PHP file through the \u003ccode\u003eimage\u003c/code\u003e parameter in a POST request to \u003ccode\u003e/admin/posts.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application saves the uploaded file to a directory accessible by the webserver.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP file via HTTP.\u003c/li\u003e\n\u003cli\u003eThe webserver executes the PHP code within the uploaded file.\u003c/li\u003e\n\u003cli\u003eAttacker achieves remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2022-50944) allows an attacker to execute arbitrary PHP code on the server hosting Aero CMS 0.0.1. This could lead to complete compromise of the affected system, including the ability to read sensitive data, modify website content, install malware, or pivot to other systems on the network. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. While the number of victims is unknown, any system running the vulnerable version of Aero CMS is at risk if authentication is compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Aero CMS if available; otherwise, discontinue use of the product.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003eimage\u003c/code\u003e parameter to prevent the upload of PHP files to mitigate CVE-2022-50944.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PHP File Upload via Image Parameter\u003c/code\u003e to identify attempts to upload malicious PHP files to the \u003ccode\u003e/admin/posts.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/admin/posts.php\u003c/code\u003e with the \u003ccode\u003esource=add_post\u003c/code\u003e parameter and PHP files uploaded through the \u003ccode\u003eimage\u003c/code\u003e parameter to identify potential exploitation attempts, as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:22:02Z","date_published":"2026-05-10T13:22:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-aero-cms-php-code-injection/","summary":"Aero CMS 0.0.1 is vulnerable to PHP code injection (CVE-2022-50944), allowing an authenticated attacker to execute arbitrary PHP code by uploading malicious files through the image parameter, leading to remote code execution on the server.","title":"CVE-2022-50944: Aero CMS 0.0.1 PHP Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-aero-cms-php-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2022-50944","version":"https://jsonfeed.org/version/1.1"}