CVE ID: CVE-2024-32640
CVSS v3.1: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD
Publish date: August 11, 2025 (NVD) NVD
TL;DR
Masa CMS before 7.4.6, 7.3.13, and 7.2.8 has a SQL injection in processAsyncObject
that can be exploited remotely without authentication. Successful exploitation can lead to remote code execution. Patches are available in 7.4.6, 7.3.13, and 7.2.8. Apply updates immediately. NVDCVE Details
Affected Versions
- Masa CMS: versions prior to 7.4.6, prior to 7.3.13, and prior to 7.2.8 are vulnerable.
- Fixed in 7.4.6, 7.3.13, 7.2.8. NVDCVE Details
Vulnerability Details
- Type: SQL Injection (CWE-89) NVD
- Location:
processAsyncObject
method in Masa CMS. - Impact: Remote, unauthenticated attackers can run arbitrary SQL. Chaining can lead to remote code execution. NVDCVE Details
Recommended Action
- Upgrade now to one of the fixed releases: 7.4.6, 7.3.13, or 7.2.8. NVD
- If you cannot upgrade immediately:
- Restrict admin and API access paths by IP.
- Place the site behind a WAF with SQLi rules enabled.
- Increase database query logging and monitor for anomalous patterns.
- Back up databases and configs before applying patches.
Affected Environments
Any Masa CMS instance exposed to the internet, especially those allowing unauthenticated interactions with endpoints that reach processAsyncObject
. Multi-tenant and shared hosting setups carry higher risk.
TTPs (MITRE Mapping)
- Initial Access: Exploit Public-Facing Application (T1190) via SQL injection.
- Execution/Privilege: Post-exploitation RCE paths may include command execution via application features (T1059), depending on environment and attacker chaining.
References
- NVD entry for CVE-2024-32640. NVD
- CVEDetails summary and EPSS context. CVE Details
- GitHub advisory and release notes for patched versions (7.2.8, 7.3.13, 7.4.6). NVD