CVE-2020-28949

HIGH KEV RANSOMWARE

Archive_Tar <1.4.10 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-28949 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including gwillcox-r7, xorathustra, including a Metasploit module exploits/multi/fileformat/archive_tar_arb_file_write.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2020-28948 and CVE-2020-28949, targeting the Archive_Tar library. The PoC demonstrates PHAR deserialization and inclusion attacks, leading to arbitrary file deletion and remote code execution.

Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Exploits (2)

vulncheck_xdb WORKING POC
client-side
https://github.com/JinHao-L/PoC-for-CVE-2020-28948-CVE-2020-28949

This repository contains functional exploit code for CVE-2020-28948 and CVE-2020-28949, targeting the Archive_Tar library. The PoC demonstrates PHAR deserialization and inclusion attacks, leading to arbitrary file deletion and remote code execution.

Classification
Working Poc 100%
Attack Type
Deserialization, Rce
Complexity
Moderate
Reliability
Reliable
Target: PEAR Archive_Tar library
No auth needed
Prerequisites: ability to upload a crafted tar file to the target server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by gwillcox-r7, xorathustra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/archive_tar_arb_file_write.rb

This Metasploit module exploits CVE-2020-28949 in PEAR Archive_Tar <= 1.4.10 by leveraging improper validation of file stream wrappers in filenames to write arbitrary files with user-controlled content. The exploit generates a malicious tar archive containing a file path with a 'file://' wrapper to achieve arbitrary file write.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: PEAR Archive_Tar <= 1.4.10
No auth needed
Prerequisites: Target must be using PEAR Archive_Tar <= 1.4.10 · Attacker must be able to deliver a malicious tar archive to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://github.com/pear/Archive_Tar/issues/33
Third Party Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2020-013
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4817
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202101-23

Scores

CVSS v3 7.8
EPSS 0.9336
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-08-25
VulnCheck KEV 2022-08-25
InTheWild.io 2022-08-25
ENISA EUVD EUVD-2021-0783
Ransomware Use Confirmed
Status published
Products (9)
debian/debian_linux 9.0
debian/debian_linux 10.0
drupal/drupal 7.0 - 7.75
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
pear/archive_tar 0 - 1.4.11Packagist
php/archive_tar < 1.4.12
Published Nov 19, 2020
KEV Added Aug 25, 2022
Tracked Since Feb 18, 2026