Cyber Resilience

CVE-2019-9082

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 February 2019

Published
24 February 2019
Modified
09 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9421 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-9082 is a high-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

ThinkPHP versions before 3.2.4, as incorporated in Open Source BMS v1.1.1 and other products, are affected by a remote command execution flaw tracked as CVE-2019-9082. The vulnerability arises from unsafe exposure of framework internals that permit invocation of call_user_func_array with attacker-supplied arguments, classified under CWE-94 and CWE-306, and carries a CVSS 3.1 score of 8.8.

Remote attackers without authentication or user interaction can exploit the issue by submitting an HTTP request to the public// endpoint containing the parameters s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=, followed by an arbitrary operating-system command. Successful exploitation results in immediate execution of the supplied command with the privileges of the web server process, enabling full compromise of confidentiality, integrity, and availability on the target host.

Public exploit code and proof-of-concept reports have been posted to Exploit-DB, Packet Storm Security, and the Open Source BMS GitHub issue tracker.

EU & UK References

Vulnerability details

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thinkphp
thinkphp
≤ 3.2.4
opensourcebms
open source background management system
1.1.1
zzzcms
zzzphp
1.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unsanitized HTTP parameters that invoke call_user_func_array and system() in the ThinkPHP endpoint.

prevent

Enforces access-control policy on the public//?s= route so unauthenticated attackers cannot reach invokefunction.

prevent

Requires prompt patching or upgrade of ThinkPHP to 3.2.4+ to eliminate the exposed framework internals.

References