Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2019-11043
PUBLISHEDUnderflow in PHP-FPM can lead to RCE
- Vendor
- PHP
- Product
- PHP
- Published
- Oct 28, 2019
- EPSS
- —
Description
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
CVSS scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
References
- https://github.com/neex/phuip-fpizdam
- https://bugs.php.net/bug.php?id=78599
- https://usn.ubuntu.com/4166-1/
- https://www.debian.org/security/2019/dsa-4552
- https://www.debian.org/security/2019/dsa-4553
- https://usn.ubuntu.com/4166-2/
- https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
- https://security.netapp.com/advisory/ntap-20191031-0003/
- https://access.redhat.com/errata/RHSA-2019:3286
- https://access.redhat.com/errata/RHSA-2019:3287
- https://access.redhat.com/errata/RHSA-2019:3299
- https://access.redhat.com/errata/RHSA-2019:3300
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
- https://access.redhat.com/errata/RHSA-2019:3724
- https://access.redhat.com/errata/RHSA-2019:3735
- https://access.redhat.com/errata/RHSA-2019:3736
- https://www.synology.com/security/advisory/Synology_SA_19_36
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
- https://support.apple.com/kb/HT210919
- https://seclists.org/bugtraq/2020/Jan/44
- http://seclists.org/fulldisclosure/2020/Jan/40
- https://access.redhat.com/errata/RHSA-2020:0322
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
- https://www.tenable.com/security/tns-2021-14
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Mar 25, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_fpm_rce.rb | Apr 28, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2020-11-18 07:25:37 UTC · 4 stars
PHP-FPM Remote Command Execution Exploit
github · Created 2020-07-13 16:32:15 UTC · 0 stars
quick and dirty PHP RCE proof of concept
github · Created 2020-05-05 09:43:44 UTC · 12 stars
This repository provides a dockerized infrastructure and a python implementation of the CVE-2019-11043 exploit.
github · Created 2019-11-17 05:16:02 UTC · 1 stars
remote debug environment for CLion
github · Created 2019-11-11 11:29:54 UTC · 16 stars
Ladon POC Moudle CVE-2019-11043 (PHP-FPM + Ngnix)
github · Created 2019-11-06 15:44:47 UTC · 13 stars
CVE-2019-11043 PHP7.x RCE
github · Created 2019-11-06 14:53:13 UTC · 3 stars
CVE-2019-11043 && PHP7.x && RCE EXP
github · Created 2019-10-30 10:22:41 UTC · 7 stars
Docker image and commands to check CVE-2019-11043 vulnerability on nginx/php-fpm applications.
github · Created 2019-10-29 11:16:12 UTC · 5 stars
Python exp for CVE-2019-11043
github · Created 2019-10-28 11:09:06 UTC · 145 stars
(PoC) Python version of CVE-2019-11043 exploit by neex
github · Created 2019-10-24 12:32:02 UTC · 27 stars
github · Created 2019-10-24 09:12:38 UTC · 1 stars
github · Created 2019-10-24 09:09:01 UTC · 0 stars
github · Created 2019-10-24 05:28:41 UTC · 4 stars
PHP-FPM Remote Code Execution Vulnerability (CVE-2019-11043) POC in Python
github · Created 2019-10-23 13:34:28 UTC · 0 stars
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Exploit Used in Malware
-
Added to KEVIntel
-
Detected by Metasploit