cbcvebase.
CVE-2020-15227
published 2020-10-01

CVE-2020-15227: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
35.23%
98.2th percentile
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
netteapplication
netteapplication
netteapplication
netteapplication
netteapplication
netteapplication
netteapplication>= 2.0.0 < 2.0.192.0.19
netteapplication>= 2.0.0 < 2.0.192.0.19
netteapplication>= 2.1.0 < 2.1.132.1.13
netteapplication>= 2.1.0 < 2.1.132.1.13
netteapplication>= 2.2.0 < 2.2.102.2.10
netteapplication>= 2.2.0 < 2.2.102.2.10
netteapplication>= 2.3.0 < 2.3.142.3.14
netteapplication>= 2.3.0 < 2.3.142.3.14
netteapplication>= 2.4.0 < 2.4.162.4.16
netteapplication>= 2.4.0 < 2.4.162.4.16
netteapplication>= 3.0.0 < 3.0.63.0.6
netteapplication>= 3.0.0 < 3.0.63.0.6

Detection & IOCsextracted from sources · hover to see the quote

url/nette.micro/?callback=phpcredits
command?callback=shell_exec
command?callback=phpcredits
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Probe/exploit requests target the `?callback=` query parameter on Nette endpoints (e.g. `/nette.micro/`). Any PHP callable can be injected — look for `?callback=` followed by PHP function names such as `shell_exec`, `phpcredits`, `system`, `passthru`, etc.
  • Successful exploitation responses will contain the string 'PHP Credits' in the HTTP response body, indicating arbitrary PHP function execution.
  • Vulnerable Nette servers identify themselves via the `Nette Framework` string in HTTP response headers — use this to fingerprint targets.
  • FOFA/asset-discovery queries `app="nette-Framework"` and `app="nette-framework"` can be used to identify exposed Nette instances on the internet.
  • The Snort/ET rule triggers on inbound HTTP GET requests containing both the URI fragment `nette` and `?callback=shell_exec` — monitor web server logs for this pattern.
  • ·The Nuclei probe uses `?callback=phpcredits` (a benign PHP function) as a safe detection payload. Real attacks will use dangerous callables like `shell_exec`. Detection rules should cover the broader `?callback=<any_php_function>` pattern, not just the PoC value.
  • ·The vulnerability affects multiple Nette version branches; patched versions are 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6. Ensure version checks in detection cover all affected branches below these thresholds.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.