Attack Chain

1. Attacker authenticates to the Aero CMS application.
2. Attacker crafts a malicious PHP file containing code to be executed on the server.
3. Attacker accesses the /admin/posts.php endpoint with the source=add_post parameter.
4. Attacker uploads the malicious PHP file through the image parameter in a POST request to /admin/posts.php.
5. The application saves the uploaded file to a directory accessible by the webserver.
6. The attacker crafts a request to directly access the uploaded PHP file via HTTP.
7. The webserver executes the PHP code within the uploaded file.
8. Attacker achieves remote code execution on the server.

Impact

Successful exploitation of this vulnerability (CVE-2022-50944) allows an attacker to execute arbitrary PHP code on the server hosting Aero CMS 0.0.1. This could lead to complete compromise of the affected system, including the ability to read sensitive data, modify website content, install malware, or pivot to other systems on the network. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. While the number of victims is unknown, any system running the vulnerable version of Aero CMS is at risk if authentication is compromised.

Recommendation

• Upgrade to a patched version of Aero CMS if available; otherwise, discontinue use of the product.
• Implement strict input validation on the image parameter to prevent the upload of PHP files to mitigate CVE-2022-50944.
• Deploy the Sigma rule Detect Suspicious PHP File Upload via Image Parameter to identify attempts to upload malicious PHP files to the /admin/posts.php endpoint.
• Monitor web server logs for suspicious requests to /admin/posts.php with the source=add_post parameter and PHP files uploaded through the image parameter to identify potential exploitation attempts, as described in the attack chain.