cbcvebase.
CVE-2019-5434
published 2019-05-06

CVE-2019-5434: An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the…

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.02%
98.9th percentile
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
revive-sasrevive_adserver< 4.2.04.2.0
revive-sasrevive_adserver

Detection & IOCsextracted from sources · hover to see the quote

path/adxmlrpc.php
path/plugins/3rdPartyServers/ox3rdPartyServers/max.class.php
pathplugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php
pathplugins/.htaccess
commandopenads.spc
bytes
PD9waHAgc3lzdGVtKCRfR0VUWyIwIl0pOyA/Pg==
  • Detect POST requests to /adxmlrpc.php containing the string 'openads.spc' in the body, which indicates exploitation of the vulnerable XML-RPC method.
  • Look for the serialized PHP object chain in POST body to /adxmlrpc.php containing class names 'Pdp\Uri\Url', 'League\Flysystem\File', 'League\Flysystem\MountManager', and 'League\Flysystem\Plugin\ForcedCopy' — these are the gadget chain classes used in exploitation.
  • Alert on GET requests to /plugins/3rdPartyServers/ox3rdPartyServers/max.class.php or doubleclick.class.php with query parameters, indicating a dropped webshell being accessed post-exploitation.
  • Detect the presence of 'data:text/html;base64,' URI scheme within POST body to /adxmlrpc.php, used to smuggle the PHP webshell payload via the Flysystem MountManager gadget.
  • Monitor for creation of unexpected .php files or .htaccess files under the plugins/ directory of Revive Adserver, as the exploit writes files to plugins/.htaccess and plugins/3rdPartyServers/ox3rdPartyServers/.
  • Use the Google dork 'inurl:www/delivery filetype:php' or Shodan query 'http.favicon.hash:106844876' / title 'revive adserver' to identify exposed Revive Adserver instances for proactive scanning.
  • The exploit uses Content-type: application/x-www-form-urlencoded for the POST to /adxmlrpc.php despite sending XML body — this header anomaly combined with XML content can be used as a detection signal.
  • ·The vulnerability exists in the 'what' parameter of the 'openads.spc' XML-RPC method, specifically because unserialize() is called on attacker-controlled input with no sanitization. The fix was introduced in version 4.2.0; instances running 4.1.x and earlier are vulnerable.
  • ·Active exploitation in the wild has been reported but not confirmed — attackers may have used this to deliver malware to third-party websites through compromised Revive Adserver instances.
  • ·The exploit gadget chain relies on the presence of specific PHP libraries (pdp/public-suffix-list, league/flysystem) in the target environment. Detection rules targeting the serialized class names are specific to this gadget chain and may not catch alternative chains.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.