CVE-2019-9082

HIGH KEV NUCLEI

ThinkPHP < 3.2.4 - Remote Code Execution via Public Endpoint

Title source: llm

Exploitation Summary

CVE-2019-9082 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including Metasploit, Yang Chenglong. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits PHP injection vulnerabilities in ThinkPHP versions up to 5.0.23 to achieve remote code execution. It includes version detection and payload delivery mechanisms for both Unix commands and Linux droppers.

Description

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/48333

View Code ZIP pw:eip

This Metasploit module exploits PHP injection vulnerabilities in ThinkPHP versions up to 5.0.23 to achieve remote code execution. It includes version detection and payload delivery mechanisms for both Unix commands and Linux droppers.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ThinkPHP <= 5.0.23

No auth needed

Prerequisites: Network access to the target web application · ThinkPHP application running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Yang Chenglong · textwebappsphp

https://www.exploit-db.com/exploits/46488

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in zzzphp CMS 1.6.1, allowing attackers to inject malicious code into template files via a crafted POST request, leading to dynamic code evaluation. The PoC is a functional HTML form that automates the attack when visited by an authenticated admin.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: zzzphp CMS 1.6.1

Auth required

Prerequisites: Admin session active in the target browser · Victim must visit the crafted HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

ThinkPHP < 3.2.4 - Remote Code Execution

HIGHVERIFIEDby 0xanis

FOFA: app="ThinkPHP"

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html

Exploit, Issue Tracking, Third Party Advisory

https://github.com/xiayulei/open_source_bms/issues/33

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/46488/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9082

Scores

CVSS v3 8.8

EPSS 0.9421

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2019-01-13

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2019-18467

CWE

CWE-306 CWE-94

Status published

Products (3)

opensourcebms/open_source_background_management_system 1.1.1

thinkphp/thinkphp < 3.2.4

zzzcms/zzzphp 1.6.1

Published Feb 24, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026