CVE-2023-24249

HIGH

laravel-admin 1.8.19 - Arbitrary File Upload and Remote Code Execution via PHP File

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-24249. PoCs published by IDUZZEL, ldb33.

AI-analyzed exploit summary This repository contains a functional exploit script for CVE-2023-24249, an arbitrary file upload vulnerability in laravel-admin v1.8.19. The exploit automates authentication, uploads a PHP reverse shell, and executes it to achieve remote code execution.

Description

An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.

Exploits (2)

nomisec WORKING POC 11 stars

by IDUZZEL · poc

https://github.com/IDUZZEL/CVE-2023-24249-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit script for CVE-2023-24249, an arbitrary file upload vulnerability in laravel-admin v1.8.19. The exploit automates authentication, uploads a PHP reverse shell, and executes it to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: laravel-admin v1.8.19

Auth required

Prerequisites: Valid credentials for the target application · Network access to the target · Listener set up for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by ldb33 · poc

https://github.com/ldb33/CVE-2023-24249-PoC

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2023-24249, an arbitrary file upload vulnerability in laravel-admin v1.8.19, to upload a PHP web shell. The exploit demonstrates authentication bypass via CSRF token extraction and file upload manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: laravel-admin v1.8.19

Auth required

Prerequisites: Valid credentials for the target application · Network access to the vulnerable web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://flyd.uk/post/cve-2023-24249/

Product

https://github.com/z-song/laravel-admin

Product

https://laravel-admin.org/

Scores

CVSS v3 7.2

EPSS 0.4864

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

encore/laravel-admin 0Packagist

laravel-admin/laravel-admin 1.8.19

Published Feb 27, 2023

Tracked Since Feb 18, 2026