CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Jul 28, 2025

CVE-2016-10033

High

CVSS 9.8EPSS 94.5%CISA KEVPoC Available

PHP/PHPMailer

Description

PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

CVSS Score

9.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Probability

94.5%

Higher than 100.0% of all CVEs

Weakness Classification (CWE)

CWE-88CWE-88MITRE

Known Exploits

POC

http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlExploit http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlExploit http://seclists.org/fulldisclosure/2016/Dec/78Mailing List http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionExploit http://www.securityfocus.com/archive/1/539963/100/0/threadedBroken Link http://www.securityfocus.com/bid/95108Broken Link http://www.securitytracker.com/id/1037533Broken Link https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlThird Party Advisory https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlExploit https://www.drupal.org/psa-2016-004Third Party Advisory https://www.exploit-db.com/exploits/40968/Exploit https://www.exploit-db.com/exploits/40969/Exploit https://www.exploit-db.com/exploits/40970/Exploit https://www.exploit-db.com/exploits/40974/Exploit https://www.exploit-db.com/exploits/40986/Exploit https://www.exploit-db.com/exploits/41962/Exploit https://www.exploit-db.com/exploits/41996/Exploit https://www.exploit-db.com/exploits/42024/Exploit https://www.exploit-db.com/exploits/42221/Exploit http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlExploit http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlExploit http://seclists.org/fulldisclosure/2016/Dec/78Mailing List http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionExploit http://www.securityfocus.com/archive/1/539963/100/0/threadedBroken Link http://www.securityfocus.com/bid/95108Broken Link http://www.securitytracker.com/id/1037533Broken Link https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlThird Party Advisory https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlExploit https://www.drupal.org/psa-2016-004Third Party Advisory https://www.exploit-db.com/exploits/40968/Exploit https://www.exploit-db.com/exploits/40969/Exploit https://www.exploit-db.com/exploits/40970/Exploit https://www.exploit-db.com/exploits/40974/Exploit https://www.exploit-db.com/exploits/40986/Exploit https://www.exploit-db.com/exploits/41962/Exploit https://www.exploit-db.com/exploits/41996/Exploit https://www.exploit-db.com/exploits/42024/Exploit https://www.exploit-db.com/exploits/42221/Exploit

Required Action

This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18 ; https://github.com/advisories/GHSA-5f37-gxvh-23v6 ; https://nvd.nist.gov/vuln/detail/CVE-2016-10033

Risk Assessment

CRITICAL

In CISA KEV

Known exploit

Critical CVSS

High EPSS

Details

Severity: High
CVSS: 9.8
EPSS: 94.5%
CWE: CWE-88
Exploit: POC
CISA KEV: Yes
Ransomware: Unknown
Articles: 0

Timeline

Published

Jul 7, 2025

Added to KEV

Jul 7, 2025

Remediation Due

Jul 28, 2025

Affected Product

PHP

PHPMailer

View all PHP CVEs

External Links

NVD (NIST)CVE Details MITRE CVE