Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

The National Vulnerability Database has detailed CVE-2022-50944, a critical PHP code injection vulnerability within Aero CMS version 0.0.1. This flaw enables authenticated attackers to execute arbitrary PHP code by uploading malicious files. The attack vector is straightforward: an attacker can upload PHP files with embedded code via the image parameter to the admin/posts.php endpoint, specifically with the source=add_post parameter. The server then executes these uploaded files.

This isn’t theoretical. An authenticated attacker gaining this foothold can completely compromise the underlying server. We’re talking about full system access, data exfiltration, or even using the compromised CMS as a pivot point for further network penetration. The CVSS score of 8.8 (HIGH) reflects the severe impact: network access, low complexity, low privileges required, and complete confidentiality, integrity, and availability compromise.

For defenders, the takeaway is clear. If Aero CMS 0.0.1 is in your environment, it’s a ticking time bomb. This isn’t a complex exploit; it leverages a fundamental flaw in how the application handles file uploads. Prioritize patching or, failing that, immediate removal. Assume compromise if you’re running this version unpatched and have any authenticated users.

What This Means For You

  • If your organization uses Aero CMS 0.0.1, you have a critical vulnerability that allows authenticated attackers to execute arbitrary PHP code. Immediately identify all instances of this CMS, apply any available patches, or, if no patch exists, remove it from your environment. Audit logs for suspicious file uploads or unexpected server activity originating from the CMS.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution T1505.003 Server Software Component: Web Shell Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2022-50944 - Aero CMS Authenticated PHP Code Injection via Image Upload

Sigma YAML — free preview 
title: CVE-2022-50944 - Aero CMS Authenticated PHP Code Injection via Image Upload
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit path and parameters used in CVE-2022-50944. Attackers authenticated to Aero CMS 0.0.1 can upload a malicious PHP file disguised as an image via the 'image' parameter to the '/admin/posts.php' endpoint with 'source=add_post'. This rule looks for POST requests to this specific path, expecting a 200 status code, and identifies the upload of a file with a .php extension.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2022-50944/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/admin/posts.php?source=add_post'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
      cs-uri-query|contains:
          - 'image='
  selection_image_upload:
      TargetFilename|endswith:
          - '.php'
  condition: selection AND selection_image_upload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2022-50944 Code Injection Aero CMS 0.0.1
CVE-2022-50944 Code Injection PHP code injection via image parameter
CVE-2022-50944 RCE Authenticated arbitrary PHP code execution
CVE-2022-50944 Code Injection Vulnerable endpoint: admin/posts.php with source=add_post parameter

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

WordPress Plugin Survey & Poll SQLi Puts Data at Risk

CVE-2021-47941 — WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma