cbcvebase.
CVE-2015-8562
published 2015-12-16

CVE-2015-8562: Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent…

PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.28%
99.9th percentile
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.

Affected

95 ranges· showing 25
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

other}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";
ua123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}𝌆
  • Detect exploit attempts by inspecting the HTTP User-Agent header for the PHP object injection serialized payload prefix '}__test|O:21:"JDatabaseDriverMysqli"'
  • The exploit terminates the serialized payload with the UTF-8 multibyte sequence \xf0\xfd\xfd\xfd to truncate session data stored in the database; detect this byte sequence in HTTP headers
  • Some PoC variants deliver the payload via the X-Forwarded-For header instead of User-Agent; monitor both headers for serialized PHP object strings
  • The exploit uses 'assert' as the cache_name_function within the serialized object to achieve code execution; look for the string 'cache_name_function";s:6:"assert"' in HTTP header values
  • Presence of dropped file /tmp/newhnewh.py on a Joomla server indicates successful exploitation via the reverse shell stage of the CVE-2015-8562 PoC
  • Exploitation requires PHP versions before 5.4.45, 5.5.29, or 5.6.13; correlate vulnerable PHP version with Joomla detections to prioritize alerts
  • Shodan/FOFA fingerprints for exposed Joomla instances: search for http.html:"joomla! - open source content management" or body="joomla! - open source content management"
  • ·The exploit only works against PHP versions before 5.4.45, 5.5.29, or 5.6.13; patched PHP versions stop deserialisation on the first error, preventing exploitation even on unpatched Joomla
  • ·The PHP patch was backported into specific Ubuntu and Debian package versions (Ubuntu: 5.5.9+dfsg-1ubuntu4.13 / 5.3.10-1ubuntu3.20; Debian: 5.4.45-0+deb7u1); systems running these distro packages may be protected at the PHP level even without a Joomla upgrade
  • ·The vulnerability affects all Joomla versions from 1.5.0 through 3.4.5; the attack vector is the session table in the database where user-supplied headers are stored, and the payload executes when the session is read back

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.