CVE-2020-8644
Published: 05 February 2020
Summary
CVE-2020-8644 is a critical-severity Code Injection (CWE-94) vulnerability in Playsms Playsms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
PlaySMS versions prior to 1.4.3 contain an input sanitization flaw that permits injection of malicious strings, classified under CWE-94 as improper control of code generation. The affected component is the core template handling logic reachable through the web interface, resulting in a CVSS 3.1 base score of 9.8 with network attack vector, no required credentials or user interaction, and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can supply crafted input over the network to trigger template injection, leading to arbitrary code execution on the server and complete system compromise. Public proof-of-concept material demonstrates direct unauthenticated remote code execution via the index.php endpoint.
Official advisories and release notes state that upgrading to PlaySMS 1.4.3 resolves the issue; the project site and community forum both identify this version as the corrective release containing the necessary input handling fixes. Detailed technical analysis from NCC Group confirms the pre-authentication remote code execution path and the effectiveness of the patch. Public exploit code has been published on PacketStorm, indicating the vulnerability is readily reproducible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-29492
Vulnerability details
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the PlaySMS template handler, blocking the malicious string injection that leads to RCE.
Mandates prompt application of the vendor patch (v1.4.3) that implements the missing input-handling fixes for this exact flaw.
Enforces access-control decisions before processing unauthenticated requests to index.php, limiting the attack surface that the unsanitized input exploits.