CVE-2020-15227
published 2020-10-01CVE-2020-15227: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
35.23%
98.2th percentile
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| nette | application | — | — |
| nette | application | — | — |
| nette | application | — | — |
| nette | application | — | — |
| nette | application | — | — |
| nette | application | — | — |
| nette | application | >= 2.0.0 < 2.0.19 | 2.0.19 |
| nette | application | >= 2.0.0 < 2.0.19 | 2.0.19 |
| nette | application | >= 2.1.0 < 2.1.13 | 2.1.13 |
| nette | application | >= 2.1.0 < 2.1.13 | 2.1.13 |
| nette | application | >= 2.2.0 < 2.2.10 | 2.2.10 |
| nette | application | >= 2.2.0 < 2.2.10 | 2.2.10 |
| nette | application | >= 2.3.0 < 2.3.14 | 2.3.14 |
| nette | application | >= 2.3.0 < 2.3.14 | 2.3.14 |
| nette | application | >= 2.4.0 < 2.4.16 | 2.4.16 |
| nette | application | >= 2.4.0 < 2.4.16 | 2.4.16 |
| nette | application | >= 3.0.0 < 3.0.6 | 3.0.6 |
| nette | application | >= 3.0.0 < 3.0.6 | 3.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Probe/exploit requests target the `?callback=` query parameter on Nette endpoints (e.g. `/nette.micro/`). Any PHP callable can be injected — look for `?callback=` followed by PHP function names such as `shell_exec`, `phpcredits`, `system`, `passthru`, etc.
- →Successful exploitation responses will contain the string 'PHP Credits' in the HTTP response body, indicating arbitrary PHP function execution.
- →Vulnerable Nette servers identify themselves via the `Nette Framework` string in HTTP response headers — use this to fingerprint targets.
- →FOFA/asset-discovery queries `app="nette-Framework"` and `app="nette-framework"` can be used to identify exposed Nette instances on the internet.
- →The Snort/ET rule triggers on inbound HTTP GET requests containing both the URI fragment `nette` and `?callback=shell_exec` — monitor web server logs for this pattern.
- ·The Nuclei probe uses `?callback=phpcredits` (a benign PHP function) as a safe detection payload. Real attacks will use dangerous callables like `shell_exec`. Detection rules should cover the broader `?callback=<any_php_function>` pattern, not just the PoC value.
- ·The vulnerability affects multiple Nette version branches; patched versions are 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6. Ensure version checks in detection cover all affected branches below these thresholds.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Potential Remote Code Execution vulnerability
osv·2020-10-02
CVE-2020-15227 [HIGH] Potential Remote Code Execution vulnerability
Potential Remote Code Execution vulnerability
Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
Reported by Cyku Hong from DEVCORE (https://devco.re)
### Impact
Code injection, possible remote code execution.
### Patches
Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
GHSA
Potential Remote Code Execution vulnerability
ghsa·2020-10-02
CVE-2020-15227 [HIGH] CWE-74 Potential Remote Code Execution vulnerability
Potential Remote Code Execution vulnerability
Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
Reported by Cyku Hong from DEVCORE (https://devco.re)
### Impact
Code injection, possible remote code execution.
### Patches
Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
OSV
CVE-2020-15227: Nette versions before 2
osv·2020-10-01·CVSS 9.8
CVE-2020-15227 [CRITICAL] CVE-2020-15227: Nette versions before 2
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
VulnCheck
nette application Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2020·CVSS 8.7
CVE-2020-15227 [HIGH] nette application Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
nette application Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
Affected: nette application
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2020-15227; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-15227; https://dashboard.shadowserver.org/stat
Ubuntu
Nette vulnerability
vendor_ubuntu·2023-03-29
CVE-2020-15227 Nette vulnerability
Title: Nette vulnerability
Summary: Nette could be made to run programs if it received specially crafted
network traffic.
Cyku Hong discovered that Nette was not properly handling and validating
data used for code generation. A remote attacker could possibly use this
issue to execute arbitrary code.
Instructions: After a standard system update you need to restart any applications using
Nette to make all the necessary changes.
Suricata
ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)
suricata·2020-11-19·CVSS 8.7
CVE-2020-15227 [HIGH] ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)
ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Late
Nuclei
Nette Framework - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-15227 [CRITICAL] Nette Framework - Remote Code Execution
Nette Framework - Remote Code Execution
Nette Framework versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6 are vulnerable to a code injection attack via specially formed parameters being passed to a URL. Nette is a PHP/Composer MVC Framework.
Template:
id: CVE-2020-15227
info:
name: Nette Framework - Remote Code Execution
author: becivells
severity: critical
description: Nette Framework versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6 are vulnerable to a code injection attack via specially formed parameters being passed to a URL. Nette is a PHP/Composer MVC Framework.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches provided b
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94https://lists.debian.org/debian-lts-announce/2021/04/msg00003.htmlhttps://packagist.org/packages/nette/applicationhttps://packagist.org/packages/nette/nettehttps://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94https://lists.debian.org/debian-lts-announce/2021/04/msg00003.htmlhttps://packagist.org/packages/nette/applicationhttps://packagist.org/packages/nette/nette
2020-10-01
Published
Exploited in the wild