CVE-2023-41892

CRITICAL EXPLOITED NUCLEI

Craft CMS unauthenticated Remote Code Execution (RCE)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-41892 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including 0xfalafel, diegaccio, zaenhaxor, including a Metasploit module exploits/linux/http/craftcms_unauth_rce_cve_2023_41892. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-41892, an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 to 4.4.14. The exploit leverages deserialization via the `conditions/render` endpoint to execute arbitrary PHP code and deploy a webshell.

Description

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.

Exploits (7)

nomisec WORKING POC 11 stars
by 0xfalafel · remote
https://github.com/0xfalafel/CraftCMS_CVE-2023-41892

This repository contains a functional exploit for CVE-2023-41892, an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 to 4.4.14. The exploit leverages deserialization via the `conditions/render` endpoint to execute arbitrary PHP code and deploy a webshell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS 4.0.0-RC1 - 4.4.14
No auth needed
Prerequisites: Target must be running a vulnerable version of Craft CMS · Network access to the target's web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by diegaccio · remote
https://github.com/diegaccio/Craft-CMS-Exploit

This repository contains a functional Python exploit for CVE-2023-41892, targeting Craft CMS versions 4.0.0-RC1 to 4.4.14. The exploit leverages deserialization and file upload vulnerabilities to achieve remote code execution by deploying a malicious PHP file and spawning a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS 4.0.0-RC1 - 4.4.14
No auth needed
Prerequisites: Network access to the target Craft CMS instance · Python 3 environment · Netcat or similar listener for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by zaenhaxor · remote
https://github.com/zaenhaxor/CVE-2023-41892

The repository contains a functional exploit script for CVE-2023-41892, a Craft CMS Remote Code Execution (RCE) vulnerability. The script sends a crafted POST request to trigger deserialization via the `conditions/render` endpoint, leading to arbitrary code execution (e.g., `phpinfo()`).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS (versions affected by CVE-2023-41892)
No auth needed
Prerequisites: Target must be running a vulnerable version of Craft CMS · Network access to the target's `/index.php` endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by user01-1 · remote
https://github.com/user01-1/CVE-2023-41892_poc

This repository contains functional exploit code for CVE-2023-41892, targeting a deserialization vulnerability in Craft CMS. The PoC demonstrates remote code execution (RCE) by uploading a webshell via Imagick manipulation, with both authenticated and unauthenticated variants.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS (version not specified)
No auth needed
Prerequisites: Target must be running vulnerable Craft CMS · PHP with Imagick extension enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by CERTologists · poc
https://github.com/CERTologists/HTTP-Request-for-PHP-object-injection-attack-on-CVE-2023-41892

The repository lacks actual exploit code and only provides generic mitigation advice for PHP object injection attacks. No technical details about CVE-2023-41892 are included.

Classification
Suspicious 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: unspecified PHP application
No auth needed
Prerequisites: unspecified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by acesoyeo · local
https://github.com/acesoyeo/CVE-2023-41892

This repository contains a functional exploit for CVE-2023-41892, a Remote Code Execution (RCE) vulnerability in Craft CMS. The exploit leverages deserialization and Imagick file handling to write a malicious PHP shell to the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS (version not specified)
No auth needed
Prerequisites: Target must be running a vulnerable version of Craft CMS · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb

This Metasploit module exploits CVE-2023-41892, an unauthenticated RCE vulnerability in Craft CMS versions 4.0.0-RC1 to 4.4.14. It leverages PHP object instantiation in `ConditionsController` and Imagick's MSL to upload a malicious PHP webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS 4.0.0-RC1 - 4.4.14
No auth needed
Prerequisites: Craft CMS instance with vulnerable version · Imagick extension enabled · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: http.favicon.hash:-47932290 || cpe:"cpe:2.3:a:craftcms:craft_cms" || http.html:craftcms
FOFA: icon_hash=-47932290 || body=craftcms

References (7)

Core 7
Core References

Scores

CVSS v3 10.0
EPSS 0.9382
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Details

VulnCheck KEV 2024-04-15
CWE
CWE-94
Status published
Products (2)
craftcms/cms 4.0.0-RC1 - 4.4.15Packagist
craftcms/craft_cms 4.4.0 - 4.4.15
Published Sep 13, 2023
Tracked Since Feb 18, 2026