Cyber Resilience

CVE-2020-8644

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 05 February 2020

Published
05 February 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9406 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8644 is a critical-severity Code Injection (CWE-94) vulnerability in Playsms Playsms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

PlaySMS versions prior to 1.4.3 contain an input sanitization flaw that permits injection of malicious strings, classified under CWE-94 as improper control of code generation. The affected component is the core template handling logic reachable through the web interface, resulting in a CVSS 3.1 base score of 9.8 with network attack vector, no required credentials or user interaction, and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can supply crafted input over the network to trigger template injection, leading to arbitrary code execution on the server and complete system compromise. Public proof-of-concept material demonstrates direct unauthenticated remote code execution via the index.php endpoint.

Official advisories and release notes state that upgrading to PlaySMS 1.4.3 resolves the issue; the project site and community forum both identify this version as the corrective release containing the necessary input handling fixes. Detailed technical analysis from NCC Group confirms the pre-authentication remote code execution path and the effectiveness of the patch. Public exploit code has been published on PacketStorm, indicating the vulnerability is readily reproducible.

EU & UK References

Vulnerability details

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

playsms
playsms
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the PlaySMS template handler, blocking the malicious string injection that leads to RCE.

prevent

Mandates prompt application of the vendor patch (v1.4.3) that implements the missing input-handling fixes for this exact flaw.

prevent

Enforces access-control decisions before processing unauthenticated requests to index.php, limiting the attack surface that the unsanitized input exploits.

References