CVE-2026-37552
Published: 01 May 2026
Summary
CVE-2026-37552 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the unsafe deserialization flaw in MixPHP's sync-invoke TCP server to prevent arbitrary code execution.
Mandates validation of all incoming TCP socket data prior to unserialization, blocking crafted malicious PHP closures.
Limits system to least functionality by disabling or restricting the unnecessary unauthenticated localhost TCP server in the MixPHP Framework.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The local unsafe deserialization vulnerability in the localhost-bound TCP service allows an attacker with initial system foothold to achieve arbitrary code execution as the server process via crafted PHP closures, directly enabling exploitation for privilege escalation.
NVD Description
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP…
more
connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution.
Deeper analysisAI
CVE-2026-37552 is an unsafe deserialization vulnerability (CWE-502) affecting MixPHP Framework versions 2.x through 2.2.17. The issue resides in the sync-invoke TCP server implemented in Server.php at line 87, where data received from a TCP socket is directly passed to Opis\Closure\unserialize() and then executed via call_user_func(). No authentication or signature verification is performed on the incoming TCP connection, which binds exclusively to 127.0.0.1. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise.
An attacker requires local access to the TCP port on the target host (localhost only) to exploit this flaw. By sending a crafted serialized PHP closure over the TCP connection, the attacker can trigger arbitrary code execution with the privileges of the server process. This local attack vector assumes the adversary has already gained some foothold on the system, such as through another vulnerability or misconfiguration, enabling them to connect to the loopback interface and execute malicious payloads without user interaction or privileges.
References for further details include a GitHub Gist at https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 (likely containing a proof-of-concept), the main MixPHP repository at https://github.com/mix-php/mix, and the vulnerable Server.php source at https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php. No specific patch or mitigation guidance is detailed in the provided CVE information.
Details
- CWE(s)