CVE-2022-40089
Published: 22 September 2022
Summary
CVE-2022-40089 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Simple College Website Project Simple College Website. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-40089 is a remote file inclusion vulnerability affecting Simple College Website version 1.0. The flaw, tracked under CWE-98, permits execution of arbitrary code through a crafted PHP file when the PHP directive allow_url_include is enabled. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
Unauthenticated remote attackers can supply a malicious URL pointing to attacker-controlled PHP code, resulting in full compromise of the web application and underlying server when the vulnerable condition is met. The issue stems from insufficient validation of included files in the affected source code distribution.
No vendor advisories or official patches are referenced in available sources. The EPSS score rose from low values to a peak of 0.0539 on 2025-01-22 before receding to the current 0.0287, indicating a post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43408
Vulnerability details
A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.