How ZeroPath Works
Back to Blog

Masa/Mura CMS CVE-2024-32640 SQL Injection: Brief Summary and PoC

This post offers a brief summary of CVE-2024-32640, a critical SQL injection vulnerability in Masa/Mura CMS. It covers technical details, affected versions, PoC usage, and detection methods based on public sources.
CVE Analysis

10 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-11

Masa/Mura CMS CVE-2024-32640 SQL Injection: Brief Summary and PoC
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Apple's infrastructure was breached using a SQL injection in Masa/Mura CMS, exposing the risks of pre-authentication vulnerabilities in widely deployed enterprise content management systems. Security teams have observed active exploitation campaigns targeting this flaw, with automated tools making detection and exploitation trivial for attackers.

Masa CMS is an open-source enterprise content management system, forked from the legacy Mura CMS after Mura transitioned to a proprietary model. Both platforms are used by enterprises and government agencies for large-scale content delivery. Their JSON API and plugin architecture make them flexible but also increase the attack surface for web-based threats.

Technical Information

CVE-2024-32640 is a critical SQL injection vulnerability in the processAsyncObject method of the Masa/Mura CMS JSON API. The vulnerability is present when user input to the contenthistid parameter is directly concatenated into SQL queries in the getObjects function. This affects the endpoint:

/_api/json/v1/default/?method=processAsyncObject

The root cause is insufficient input sanitization. The Lucee CFML engine, which powers the backend, escapes single quotes by default. However, this can be bypassed by using a backslash escape sequence (%5c) before a single quote. This allows an attacker to inject arbitrary SQL into the query.

A key detail is that the vulnerable code path requires the isOnDisplay property to be true. This is typically overwritten by application logic, but can be forced by supplying any value for the previewID parameter. The final exploit URL structure is:

/_api/json/v1/default/?method=processAsyncObject&object=displayregion&contenthistid=x%5c'&previewID=x

Once the SQL injection is successful, attackers can escalate to remote code execution. This is typically achieved by extracting admin credentials or tokens via SQL injection, then using the CMS's plugin installation feature to upload a malicious ColdFusion Markup Language (CFML) file.

Proof of Concept

The Proof-of-Concept (PoC) for CVE-2024-32640 demonstrates an automated method to detect and exploit a SQL Injection vulnerability in Mura/Masa CMS. This PoC, named 'Muraider,' is designed to streamline the identification and exploitation process.

Detection:

To detect the vulnerability, execute the following command:

python3 CVE-2024-32640.py --url https://target.com/

Replace https://target.com/ with the URL of the target Mura/Masa CMS instance. This command initiates the detection phase, scanning the specified URL for the presence of the SQL Injection vulnerability.

Exploitation with Ghauri:

For exploitation, the PoC integrates with Ghauri, a SQL Injection exploitation tool. To utilize this feature, append the -g or --ghauri flag followed by Ghauri-specific arguments. For example, to retrieve database information, use:

python3 CVE-2024-32640.py --url https://target.com -g "--dbs --current-db"

This command automates the exploitation process by passing the detected vulnerability to Ghauri, which then executes the specified SQL Injection payloads to extract database information.

By automating both detection and exploitation, this PoC simplifies the process of identifying and leveraging the CVE-2024-32640 vulnerability in Mura/Masa CMS.

References: [https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS]

Detection Methods

Detecting SQL injection vulnerabilities, such as CVE-2024-32640 in Mura/Masa CMS, involves a combination of automated tools and manual analysis. One effective approach is to use specialized scripts designed to identify and exploit such vulnerabilities.

For instance, the CVE-2024-32640.py script automates the detection and exploitation process. By providing the target URL, the script can assess the presence of the vulnerability. Additionally, it integrates with tools like Ghauri for further exploitation, allowing for commands such as retrieving database names or the current database.

It's crucial to ensure that any testing is conducted ethically and with proper authorization. Unauthorized testing can lead to legal consequences and potential harm to systems.

References: [https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS]

Affected Systems and Versions

  • All versions of legacy Mura CMS are affected
  • Masa CMS versions prior to 7.4.6, 7.3.13, and 7.2.8 are affected
  • The vulnerability is present in the processAsyncObject method, specifically when the contenthistid parameter is used in conjunction with the JSON API endpoint
  • Systems exposing the /api/json/v1/default/ endpoint without authentication are at risk

Vendor Security History

Masa CMS has a track record of transparent and rapid response to security issues. The vendor released patches for all supported branches (7.4.6, 7.3.13, 7.2.8) soon after disclosure. Previous vulnerabilities in both Mura and Masa CMS have been addressed with similar transparency and speed, reflecting a mature approach to security.

References

Detect & fix
what others miss

Get startedBook a demo