Cyber Resilience

CVE-2009-1151

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 26 March 2009

Published
26 March 2009
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9327 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-1151 is a critical-severity Code Injection (CWE-94) vulnerability in Phpmyadmin Phpmyadmin. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2009-1151 is a static code injection vulnerability, tracked under CWE-94, that affects the setup.php component in phpMyAdmin versions 2.11.x prior to 2.11.9.5 and 3.x prior to 3.1.3.1. The flaw permits remote attackers to inject arbitrary PHP code into a configuration file through the save action, resulting in a CVSS 3.1 base score of 9.8 reflecting network-exploitable impacts to confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit the issue without user interaction or privileges by submitting crafted input to the vulnerable setup script, enabling them to write executable PHP code that persists in the application's configuration and can subsequently be executed on the server.

References such as the phpMyAdmin SVN commit, Secunia advisories 34430 and 34642, and the openSUSE security announcement indicate that the issue is resolved by upgrading to the fixed releases 2.11.9.5 or 3.1.3.1. No information on observed in-the-wild exploitation is provided in the source data.

EU & UK References

Vulnerability details

Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpmyadmin
phpmyadmin
2.11.0 — 2.11.9.5 · 3.0.0 — 3.1.3.1
debian
debian linux
4.0, 5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to setup.php to block arbitrary PHP code injection into configuration files.

prevent

Enforces authorization checks so unauthenticated remote users cannot invoke the save action in setup.php.

prevent

Restricts logical access needed to perform unauthorized modifications to configuration files via the vulnerable setup script.

References