A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-47051

CVE-2024-47051: Acquia Mautic RCE Vulnerability

CVE-2024-47051 is a remote code execution flaw in Acquia Mautic that allows authenticated attackers to upload malicious files and execute arbitrary code. This article covers the technical details, affected versions, and mitigation.

Published: May 26, 2026

CVE-2024-47051 Overview

CVE-2024-47051 covers two security vulnerabilities in Mautic marketing automation software before version 5.2.3. The first is a Remote Code Execution (RCE) flaw in the asset upload functionality. Insufficient validation of allowed file extensions lets authenticated attackers upload executable files such as PHP scripts. The second is a Path Traversal flaw [CWE-23] in the upload validation process. Improper handling of path components enables authenticated users to delete arbitrary files on the host system. Both issues require authenticated access but enable complete compromise of the Mautic instance and underlying server.

Critical Impact

An authenticated attacker can achieve remote code execution on the host and delete arbitrary files, leading to full server compromise and data loss.

Affected Products

  • Acquia Mautic versions before 5.2.3
  • Mautic open source marketing automation platform
  • Any deployment exposing authenticated asset upload functionality

Discovery Timeline

  • 2025-02-26 - CVE-2024-47051 published to the National Vulnerability Database
  • 2025-10-16 - Last updated in NVD database

Technical Details for CVE-2024-47051

Vulnerability Analysis

The advisory describes two distinct weaknesses chained under a single CVE. The RCE vector resides in Mautic's asset upload feature, which validates file extensions through an incomplete deny-list. Attackers can submit filenames or content types that bypass the extension check, placing executable PHP files into a web-accessible directory. Once uploaded, requesting the file triggers server-side execution under the web server account.

The second weakness is a path traversal in the upload validation routine. The application does not normalize path components such as ../ sequences before performing file operations. An authenticated user can craft an upload request that references files outside the intended upload directory, causing the deletion logic to remove arbitrary files. Deleting configuration files, session stores, or application source files produces denial-of-service conditions and can assist further exploitation.

Both flaws require valid credentials but only standard user privileges, which makes credential theft or weak account compromise a viable entry point. The scope changes once code executes under the web server context, granting access to database credentials, customer marketing data, and adjacent services.

Root Cause

The RCE stems from improper enforcement of allowed file extensions during asset upload. The path traversal stems from missing canonicalization and validation of user-supplied path components before file deletion operations, classified as CWE-23 Relative Path Traversal.

Attack Vector

Exploitation requires network access to the Mautic web interface and valid authenticated credentials. An attacker logs in, navigates to the asset upload feature, and submits a crafted file whose extension or MIME handling bypasses the validation routine. After upload, the attacker requests the resulting URL to execute server-side code. For the deletion variant, the attacker submits an upload request with a manipulated path parameter to remove files outside the asset directory. Refer to the Mautic GitHub Security Advisory for technical specifics.

Detection Methods for CVE-2024-47051

Indicators of Compromise

  • New or unexpected .php, .phtml, or .phar files within Mautic's media/files/ or media/assets/ directories.
  • Web server access logs showing POST requests to asset upload endpoints followed by GET requests to uploaded files with executable extensions.
  • Unexpected outbound network connections originating from the PHP-FPM or Apache worker process hosting Mautic.
  • Missing or recently deleted core application files, configuration files, or log entries indicating file removal operations from authenticated sessions.

Detection Strategies

  • Monitor file system events in Mautic upload directories for creation of files with server-executable extensions.
  • Inspect HTTP request bodies for upload parameters containing ../ sequences or absolute paths.
  • Correlate authenticated Mautic session activity with web shell-like response patterns such as short request-response intervals returning command output.

Monitoring Recommendations

  • Enable verbose application logging in Mautic and forward logs to a centralized SIEM for correlation with web server and host telemetry.
  • Alert on process creation events where the web server user spawns shells, curl, wget, or scripting interpreters.
  • Baseline expected files in Mautic content directories and alert on deviations.

How to Mitigate CVE-2024-47051

Immediate Actions Required

  • Upgrade Mautic to version 5.2.3 or later as the primary remediation.
  • Audit Mautic user accounts and rotate credentials, removing inactive or unnecessary accounts that could be used for authenticated exploitation.
  • Review asset upload directories for unauthorized files and inspect application files for unexpected deletions or modifications.
  • Restrict network access to the Mautic administration interface using IP allow-lists or VPN-only access.

Patch Information

The Mautic project addressed both vulnerabilities in version 5.2.3. Patch details and remediation guidance are published in the Mautic GHSA-73gx-x7r9-77x2 advisory. Acquia Mautic customers should apply the corresponding update through their managed channel.

Workarounds

  • Configure the web server to deny execution of PHP and other interpreter files within Mautic upload directories using directives such as php_flag engine off or equivalent Nginx location blocks.
  • Apply strict file system permissions so the web server account cannot write to directories outside designated upload paths.
  • Place the Mautic instance behind a web application firewall with rules that block path traversal sequences and disallowed file extensions in multipart upload requests.
bash
# Apache: disable PHP execution in Mautic upload directories
<Directory "/var/www/mautic/media/files">
    php_flag engine off
    AddType text/plain .php .phtml .php3 .php4 .php5 .phar
    Options -ExecCGI
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechMautic
  • SeverityCRITICAL
  • CVSS Score9.9
  • EPSS Probability1.11%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-23
  • Technical References
  • OWASP Code Injection Attack
  • OWASP Path Traversal Attack
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-3105: API Contact Activities SQLi Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English