CVE-2020-8644

CRITICAL KEV NUCLEI

playsms < 1.4.3 - Unauthenticated Remote Code Execution via Template Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-8644 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including Metasploit, H3rm1tR3b0rn, including a Metasploit module exploits/multi/http/playsms_template_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a pre-auth Server-Side Template Injection (SSTI) vulnerability in PlaySMS before 1.4.3, leading to remote code execution by injecting a malicious payload into the username field during login.

Description

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/48335

This Metasploit module exploits a pre-auth Server-Side Template Injection (SSTI) vulnerability in PlaySMS before 1.4.3, leading to remote code execution by injecting a malicious payload into the username field during login.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PlaySMS before 1.4.3
No auth needed
Prerequisites: Network access to the target PlaySMS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by H3rm1tR3b0rn · remote-auth
https://github.com/H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4

This repository contains a functional Python exploit for CVE-2020-8644, targeting PlaySMS versions before 1.4.3. The exploit leverages a PHP code injection vulnerability in the login mechanism to achieve remote code execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PlaySMS < 1.4.3
No auth needed
Prerequisites: Target must have /bin/nc.traditional available · Attacker must have a listening port open for the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/playsms_template_injection.rb

This Metasploit module exploits a pre-authentication Server-Side Template Injection (SSTI) vulnerability in PlaySMS before version 1.4.3, leading to remote code execution. The exploit leverages a double-processing flaw in the TPL template engine by injecting a malicious payload into the username field during login.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PlaySMS before 1.4.3
No auth needed
Prerequisites: Network access to the target PlaySMS instance · PlaySMS version before 1.4.3
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

playSMS <1.4.3 - Remote Code Execution
CRITICALby dbrwsky

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9406
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-29492
CWE
CWE-94
Status published
Products (1)
playsms/playsms < 1.4.3
Published Feb 05, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026