CVE-2024-32640: Masa CMS SQL Injection leads to RCE

CVE ID: CVE-2024-32640
CVSS v3.1: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD
Publish date: August 11, 2025 (NVD) NVD

TL;DR

Masa CMS before 7.4.6, 7.3.13, and 7.2.8 has a SQL injection in processAsyncObject that can be exploited remotely without authentication. Successful exploitation can lead to remote code execution. Patches are available in 7.4.6, 7.3.13, and 7.2.8. Apply updates immediately. NVDCVE Details

Affected Versions

• Masa CMS: versions prior to 7.4.6, prior to 7.3.13, and prior to 7.2.8 are vulnerable.
• Fixed in 7.4.6, 7.3.13, 7.2.8. NVDCVE Details

Vulnerability Details

• Type: SQL Injection (CWE-89) NVD
• Location: processAsyncObject method in Masa CMS.
• Impact: Remote, unauthenticated attackers can run arbitrary SQL. Chaining can lead to remote code execution. NVDCVE Details

Recommended Action

1. Upgrade now to one of the fixed releases: 7.4.6, 7.3.13, or 7.2.8. NVD
2. If you cannot upgrade immediately:
   • Restrict admin and API access paths by IP.
   • Place the site behind a WAF with SQLi rules enabled.
   • Increase database query logging and monitor for anomalous patterns.
   • Back up databases and configs before applying patches.

Affected Environments

Any Masa CMS instance exposed to the internet, especially those allowing unauthenticated interactions with endpoints that reach processAsyncObject. Multi-tenant and shared hosting setups carry higher risk.

TTPs (MITRE Mapping)

• Initial Access: Exploit Public-Facing Application (T1190) via SQL injection.
• Execution/Privilege: Post-exploitation RCE paths may include command execution via application features (T1059), depending on environment and attacker chaining.

References

• NVD entry for CVE-2024-32640. NVD
• CVEDetails summary and EPSS context. CVE Details
• GitHub advisory and release notes for patched versions (7.2.8, 7.3.13, 7.4.6). NVD