Login Sign Up

CVE-2020-36326

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in PHPMailer allows remote attackers to execute arbitrary code through object injection via Phar deserialization when using UNC pathnames in addAttachment. It affects PHPMailer versions 6.1.8 through 6.4.0. The vulnerability occurs because a security fix inadvertently removed protection against UNC path exploitation.

💻 Affected Systems

Products:
  • PHPMailer
Versions: 6.1.8 through 6.4.0
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires the addAttachment function to be called with user-controlled UNC pathnames. Applications using PHPMailer for email functionality with file attachments are at risk.

📦 What is this software?

Phpmailer by Phpmailer Project

View all CVEs affecting Phpmailer →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary PHP code on the server, potentially leading to web shell installation and data exfiltration.

🟢

If Mitigated

Limited impact if proper input validation and file upload restrictions are in place, though exploitation risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to control UNC pathnames passed to addAttachment. The vulnerability is similar to CVE-2018-19296 and leverages Phar deserialization techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.1 and later

Vendor Advisory: https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9

Restart Required: No

Instructions:

1. Update PHPMailer to version 6.4.1 or later using composer update phpmailer/phpmailer. 2. Verify the update by checking the PHPMailer version in your project. 3. Test email functionality to ensure compatibility.

🔧 Temporary Workarounds

Input Validation for UNC Paths

all

Implement server-side validation to reject UNC pathnames (starting with \\ or //) in file attachment parameters.

// PHP code example: if (strpos($pathname, '\\') === 0 || strpos($pathname, '//') === 0) { die('Invalid path'); }

Disable Phar Deserialization

all

Configure PHP to disable Phar deserialization by setting phar.readonly to 1 in php.ini.

phar.readonly = 1

🧯 If You Can't Patch

  • Implement strict input validation to block UNC pathnames in all user-controlled file attachment parameters.
  • Restrict file upload functionality to only allow specific file extensions and validate file content.

🔍 How to Verify

Check if Vulnerable:

Check your composer.json or project files for PHPMailer version. If version is between 6.1.8 and 6.4.0 inclusive, you are vulnerable.

Check Version:

php -r "require 'vendor/autoload.php'; echo PHPMailer\PHPMailer\PHPMailer::VERSION;"

Verify Fix Applied:

Verify PHPMailer version is 6.4.1 or later. Test that UNC pathnames (starting with \\ or //) are rejected when passed to addAttachment.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file attachment attempts with UNC paths (starting with \\ or //)
  • Unexpected Phar archive processing in PHP logs
  • Errors related to PHPMailer addAttachment function with suspicious paths

Network Indicators:

  • Outbound connections to unexpected SMB shares from web servers
  • Unusual network traffic patterns following file upload attempts

SIEM Query:

source="web_logs" AND (path="*\\\\*" OR path="*//*") AND action="addAttachment"

📊 Metadata

CVE ID: CVE-2020-36326
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: April 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36326, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)