CVE-2015-0935
published 2015-05-25CVE-2015-0935: Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.
PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
5.87%
92.3th percentile
Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bomgar | remote_support | <= 14.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /session_complete containing both 'lsid' and 'survey' POST parameters, where 'survey' contains PHP serialized object data (patterns like O:<length>:"<classname>" or a:<count>:{). ↗
- →Look for PHP serialized payloads in the 'survey' POST parameter targeting Bomgar classes: 'Tracer', 'Logger', and dynamically constructed class names derived from file paths (filepath.chomp('.php').gsub('/', '_')). ↗
- →The exploit requires a valid Logging Session ID (LSID) in the format 'h=[...];l=[...];m=[...];t=[...]', obtainable unauthenticated via the Issue Submission form. Monitor for unauthenticated retrieval of LSIDs followed immediately by POST to /session_complete. ↗
- →The exploit uses PHP object deserialization to write arbitrary files via the Logger/_lineFormat/_eol chain. Alert on PHP deserialization gadget chains referencing 'Logger' with private member '\0Logger\0_logs' in POST body. ↗
- →The autoload exploitation step sends a serialized object whose class name is derived from a PHP file path (slashes replaced with underscores, .php stripped). Detect serialized objects with class names matching path-like patterns (e.g., underscored directory structures) in the 'survey' parameter. ↗
- ·Exploitation requires a valid Logging Session ID (LSID) obtained unauthenticated from the Issue Submission form; without a valid LSID the exploit cannot proceed. ↗
- ·The module targets Linux x86 and Linux x86_64 platforms only; Windows Bomgar deployments are not covered by this exploit module. ↗
- ·Only Bomgar Remote Support versions before 15.1.1 are vulnerable; version 15.1.1 and later are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2015-05-25
Published