What happened

CISA added CVE-2024-56145 (Craft CMS) to the Known Exploited Vulnerabilities (KEV) catalog on 2025-06-02, signaling confirmed exploitation in the wild CISA KEV. The entry lists a code injection issue that can lead to remote code execution (RCE) when the PHP configuration register_argc_argv is enabled NVD CVE-2024-56145. CISA set a remediation due date of 2025-06-23 for U.S. Federal agencies, requiring mitigation or discontinuation per vendor guidance CISA KEV.

The vendor advisory aligns with this description, classifying the flaw as code injection and warning of RCE when register_argc_argv is on GitHub Advisory GHSA-2p6p-9rc9-62j9. MITRE tracks the CVE under Craft CMS with code injection semantics MITRE CVE record.

Why it matters

A CMS RCE is a turnkey path to site takeover, data theft, and downstream pivoting. KEV inclusion means exploitation is observed, not hypothetical, which materially raises priority for defenders CISA KEV. The configuration precondition (register_argc_argv enabled) is common enough in bespoke or legacy PHP deployments that it cannot be assumed safe without verification NVD CVE-2024-56145. CWE-94 (code injection) routinely yields arbitrary code execution when input flows reach interpreters—high-impact in web-exposed stacks NVD CWE ref via CVE.

For U.S. Federal civilian agencies, KEV listings are mandatory to remediate by the due date; failure to meet the 2025-06-23 deadline is noncompliance risk in addition to operational exposure CISA KEV. Private-sector operators should treat KEV entries as de facto exploit-in-the-wild alerts and move to immediate triage and patch windows MITRE CVE record.

Technical detail

• Vulnerability: Craft CMS contains a code injection flaw mapped to CWE-94, enabling execution of injected code paths in affected versions NVD CVE-2024-56145. The vendor advisory frames impact as RCE under specific runtime configuration GitHub Advisory GHSA-2p6p-9rc9-62j9.
• Exploitation condition: RCE is achievable only if php.ini register_argc_argv is enabled, according to the advisory and catalog descriptions GitHub Advisory GHSA-2p6p-9rc9-62j9 CISA KEV.
• Threat signal: KEV addition is an exploitation-confirmed signal; adversaries are actively leveraging this path in the wild, warranting accelerated remediation CISA KEV.

What we do not assert: version ranges, exploit primitives, and patch identifiers are not included here because they are not present in the supplied records; defer to the vendor advisory for exact fix guidance GitHub Advisory GHSA-2p6p-9rc9-62j9.

Defense

Immediate actions:

• Patch/upgrade: Apply the vendor’s fixes per the Craft CMS advisory as your first-line remediation window GitHub Advisory GHSA-2p6p-9rc9-62j9. Federal programs: track to CISA’s 2025-06-23 due date for KEV closure CISA KEV.
• Configuration mitigation: If patching is not immediate, disable php.ini register_argc_argv to disrupt the RCE precondition noted by the advisory and NVD NVD CVE-2024-56145 GitHub Advisory GHSA-2p6p-9rc9-62j9.

Exposure reduction and monitoring:

• Inventory & scope: Enumerate Craft CMS assets exposed to the internet and confirm PHP configuration state across hosts to verify register_argc_argv is off where feasible MITRE CVE record.
• Runtime watch: Monitor PHP worker processes for anomalous behavior associated with code injection/RCE, such as unexpected child process creation or outbound connections tied to CMS request paths; prioritize systems where register_argc_argv is enabled per the advisory context NVD CVE-2024-56145 GitHub Advisory GHSA-2p6p-9rc9-62j9.
• Threat-informed patching: Treat KEV inclusion as evidence of ongoing attacker ROI and move Craft CMS upgrades into emergency change windows until the CVE is closed CISA KEV.

Lyrie Verdict

Configuration-gated RCEs are attacker gold because they fly under coarse vulnerability scanners until runtime conditions are met. Lyrie closes that gap by operating at machine speed against live process and config state. Our detectors continuously reconcile web request flows, PHP runtime configuration, and process behavior to surface RCE patterns tied to code injection classes like CWE-94 NVD CVE-2024-56145. Specifically for CVE-2024-56145, Lyrie flags: Craft CMS traffic hitting PHP workers where register_argc_argv is enabled, plus emergent behaviors (unexpected child processes, code-loading anomalies) that align with exploitation described in the advisory GitHub Advisory GHSA-2p6p-9rc9-62j9. With KEV-confirmed exploitation, we auto-escalate detections and can enforce kill-chain disruption without waiting for human triage, aligning with CISA’s urgency window for this CVE CISA KEV.