CVE-2019-9082
Published: 24 February 2019
Summary
CVE-2019-9082 is a high-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
ThinkPHP versions before 3.2.4, as incorporated in Open Source BMS v1.1.1 and other products, are affected by a remote command execution flaw tracked as CVE-2019-9082. The vulnerability arises from unsafe exposure of framework internals that permit invocation of call_user_func_array with attacker-supplied arguments, classified under CWE-94 and CWE-306, and carries a CVSS 3.1 score of 8.8.
Remote attackers without authentication or user interaction can exploit the issue by submitting an HTTP request to the public// endpoint containing the parameters s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=, followed by an arbitrary operating-system command. Successful exploitation results in immediate execution of the supplied command with the privileges of the web server process, enabling full compromise of confidentiality, integrity, and availability on the target host.
Public exploit code and proof-of-concept reports have been posted to Exploit-DB, Packet Storm Security, and the Open Source BMS GitHub issue tracker.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-18467
Vulnerability details
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unsanitized HTTP parameters that invoke call_user_func_array and system() in the ThinkPHP endpoint.
Enforces access-control policy on the public//?s= route so unauthenticated attackers cannot reach invokefunction.
Requires prompt patching or upgrade of ThinkPHP to 3.2.4+ to eliminate the exposed framework internals.