CVE-2024-8517

CRITICAL NUCLEI

SPIP <4.3.2-4.1.18 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-8517. PoCs published by Chocapikk, saadhassan77, Vozec, Laluka, Julien Voisin, Valentin Lobstein, including Metasploit module exploits/multi/http/spip_bigup_unauth_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-8517, an unauthenticated RCE vulnerability in the SPIP BigUp plugin. The exploit leverages improper input validation in the `lister_fichiers_par_champs` function to execute arbitrary PHP code via crafted multipart form data.

Description

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

Exploits (3)

nomisec WORKING POC 16 stars
by Chocapikk · poc
https://github.com/Chocapikk/CVE-2024-8517

This repository contains a functional exploit for CVE-2024-8517, an unauthenticated RCE vulnerability in the SPIP BigUp plugin. The exploit leverages improper input validation in the `lister_fichiers_par_champs` function to execute arbitrary PHP code via crafted multipart form data.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP (with BigUp plugin) versions up to 4.3.1, 4.2.15, and 4.1.17
No auth needed
Prerequisites: Target running vulnerable SPIP version with BigUp plugin · Network access to the SPIP instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by saadhassan77 · poc
https://github.com/saadhassan77/SPIP-BigUp-Unauthenticated-RCE-Exploit-CVE-2024-8517

This Python script exploits an unauthenticated RCE vulnerability in the SPIP BigUp plugin (CVE-2024-8517) by abusing the `lister_fichiers_par_champs` function. It uploads a malicious PHP payload via the `bigup_retrouver_fichiers` parameter and executes arbitrary commands without authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP CMS with BigUp plugin (≤ 4.3.1, ≤ 4.2.15, ≤ 4.1.17)
No auth needed
Prerequisites: Target running vulnerable SPIP BigUp plugin · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Vozec, Laluka, Julien Voisin, Valentin Lobstein · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spip_bigup_unauth_rce.rb

This Metasploit module exploits a Remote Code Execution vulnerability in the SPIP BigUp plugin by injecting arbitrary PHP code via improper handling of multipart form data in file uploads. The exploit targets unauthenticated users and leverages the `lister_fichiers_par_champs` function triggered by the `bigup_retrouver_fichiers` parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SPIP BigUp Plugin (versions 4.0.0 to 4.3.1, 4.2.15, and 4.1.17)
No auth needed
Prerequisites: Target must be running a vulnerable version of SPIP with the BigUp plugin installed · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SPIP BigUp Plugin - Remote Code Execution
CRITICALVERIFIEDby DhiyaneshDk
Shodan: http.favicon.hash:-1224668706
FOFA: X-Spip-Cache

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit technical-description
https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/spip-upload-rce
Exploit, Third Party Advisory exploit technical-description
https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/

Scores

CVSS v3 9.8
EPSS 0.9462
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78 CWE-73
Status published
Products (3)
spip/spip 4.3.0
spip/spip 4.3.1
spip/spip 4.0.0 - 4.1.18
Published Sep 06, 2024
Tracked Since Feb 18, 2026