cbcvebase.
CVE-2015-0935
published 2015-05-25

CVE-2015-0935: Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
5.87%
92.3th percentile
Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.

Affected

1 ranges
VendorProductVersion rangeFixed in
bomgarremote_support<= 14.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/session_complete
commandPOST /session_complete with vars_post: lsid=<LSID>&survey=<serialized_PHP_object>
  • Detect HTTP POST requests to /session_complete containing both 'lsid' and 'survey' POST parameters, where 'survey' contains PHP serialized object data (patterns like O:<length>:"<classname>" or a:<count>:{).
  • Look for PHP serialized payloads in the 'survey' POST parameter targeting Bomgar classes: 'Tracer', 'Logger', and dynamically constructed class names derived from file paths (filepath.chomp('.php').gsub('/', '_')).
  • The exploit requires a valid Logging Session ID (LSID) in the format 'h=[...];l=[...];m=[...];t=[...]', obtainable unauthenticated via the Issue Submission form. Monitor for unauthenticated retrieval of LSIDs followed immediately by POST to /session_complete.
  • The exploit uses PHP object deserialization to write arbitrary files via the Logger/_lineFormat/_eol chain. Alert on PHP deserialization gadget chains referencing 'Logger' with private member '\0Logger\0_logs' in POST body.
  • The autoload exploitation step sends a serialized object whose class name is derived from a PHP file path (slashes replaced with underscores, .php stripped). Detect serialized objects with class names matching path-like patterns (e.g., underscored directory structures) in the 'survey' parameter.
  • ·Exploitation requires a valid Logging Session ID (LSID) obtained unauthenticated from the Issue Submission form; without a valid LSID the exploit cannot proceed.
  • ·The module targets Linux x86 and Linux x86_64 platforms only; Windows Bomgar deployments are not covered by this exploit module.
  • ·Only Bomgar Remote Support versions before 15.1.1 are vulnerable; version 15.1.1 and later are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.