CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: May 3, 2022

CVE-2019-9082

High

CVSS 8.8EPSS 94.3%CISA KEVPoC Available

Description

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

CVSS Score

8.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS — Exploit Probability

94.3%

Higher than 99.9% of all CVEs

Weakness Classification (CWE)

CWE-94Code InjectionMITRE

Known Exploits

POC

http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlExploit https://github.com/xiayulei/open_source_bms/issues/33Exploit http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlExploit https://github.com/xiayulei/open_source_bms/issues/33Exploit https://www.exploit-db.com/exploits/46488/Exploit

Required Action

https://nvd.nist.gov/vuln/detail/CVE-2019-9082

Risk Assessment

CRITICAL

In CISA KEV

Known exploit

High EPSS

Details

Severity: High
CVSS: 8.8
EPSS: 94.3%
CWE: CWE-94
Exploit: POC
CISA KEV: Yes
Ransomware: Unknown
Articles: 0

Timeline

Published

Nov 3, 2021

Added to KEV

Nov 3, 2021

Remediation Due

May 3, 2022

Affected Product

ThinkPHP

View all ThinkPHP CVEs

External Links

NVD (NIST)CVE Details MITRE CVE