cbcvebase.
CVE-2019-9082
published 2019-02-24

CVE-2019-9082: ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
97.42%
99.9th percentile
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Affected

4 ranges
VendorProductVersion rangeFixed in
cairographicscairo>= 0 < 1.14.6-1ubuntu0.1~esm11.14.6-1ubuntu0.1~esm1
opensourcebmsopen_source_background_management_system
thinkphpthinkphp< 3.2.43.2.4
zzzcmszzzphp

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20thinkphp%20%7C%20rev
urlpublic//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=
path/index.php?s=captcha
command_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo%20thinkphp%20%7C%20rev
filenameroeter.php
  • Detect exploitation attempts by matching the invokefunction RCE pattern in HTTP GET requests to index.php with the s parameter routing to \think\app/invokefunction combined with call_user_func_array and system.
  • Detect the POST-based exploitation variant targeting /index.php?s=captcha with body containing _method=__construct&filter[]=system, which abuses the ThinkPHP __construct filter chain for RCE.
  • Successful exploitation response contains the string 'phpkniht' (reverse of 'thinkphp') in the HTTP response body — use this as a confirmation matcher.
  • Hunt for downloads of 'public.txt' from Hong Kong-based IPs followed by creation of 'roeter.php' on the server — this is the Dama web shell deployment pattern observed in active campaigns.
  • The Dama web shell uses the password 'admin' for its authentication step — monitor for POST requests to roeter.php with this credential.
  • CVE-2019-9082 exploitation is frequently chained with CVE-2018-20062 in the same campaign; detections should correlate both exploit patterns from the same source IP.
  • Use FOFA query app="ThinkPHP" and Google dork inurl:"index.php?s=" "thinkphp" to identify exposed ThinkPHP instances for proactive asset discovery and monitoring.
  • CVE-2019-9082 exploitation has been observed delivering Golang-based Monero cryptominers; correlate ThinkPHP RCE alerts with outbound connections to mining pools.
  • Compromised servers delivering the Dama web shell payload are themselves infected with the same shell and located in Hong Kong — treat Hong Kong-originating downloads of .txt files to web-accessible directories as high-priority alerts.
  • ·The Nuclei template uses stop-at-first-match across two distinct exploit methods (GET invokefunction and POST captcha/__construct); ensure WAF/IDS rules cover both HTTP methods and both URL paths independently.
  • ·The exploit-db entry (46488) attributes CVE-2019-9082 to a CSRF in zzzphp CMS 1.6.1, which differs from the NVD/Nuclei attribution to ThinkPHP RCE — verify the correct CVE mapping before deploying signatures, as the same CVE ID covers different attack surfaces depending on the source.
  • ·The Dama web shell bypasses disabled PHP functions for shell command execution, meaning PHP disable_functions hardening alone is insufficient to contain post-exploitation activity.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv5.5MEDIUM
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.