🔴 CVE-2016-10033

PHPMailer before 5.2.18 contains a command injection vulnerability allowing remote attackers to execute arbitrary code via a crafted Sender property. This vulnerability affects countless web applications that use PHPMailer for email functionality and is actively exploited in the wild.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2016-12-30

Added to CISA KEV: 2025-07-07 3111 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2016-10033 is a critical remote code execution (RCE) vulnerability affecting the PHPMailer library, which has remained a significant security concern due to its presence in legacy web applications [5] [4].

Overview and Impact
  • Vulnerability Type: Remote Code Execution (RCE) via command injection [1] [5].
  • Impact: Successful exploitation allows an attacker to execute arbitrary commands on the underlying server with the privileges of the web server process [1] [5].
  • CVSS Score: 9.8 (Critical) [2].
Exploitation Details
  • Attack Method: The vulnerability exists in the `mailSend` function of the `isMail` transport. Attackers can inject malicious parameters into the `sendmail` command by providing a crafted `Sender` property containing a backslash and double quote (`\"`) [1] [5].
  • Requirements: This is a remote attack that does not require local access. It typically requires the application to use the vulnerable PHPMailer library to send emails where user-supplied input is passed to the `Sender` field without proper sanitization.
  • User Interaction: Generally, no specific user interaction is required from the target administrator; the attack is triggered by the application processing the malicious input.
Status and Exploitation in the Wild
  • Active Exploitation: As of July 2025, CVE-2016-10033 was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild [2] [4].
  • Threat Actors/Campaigns: While specific threat actor groups are often not publicly attributed to every instance of exploitation for this vulnerability, its inclusion in the CISA KEV catalog underscores its use in real-world attacks against legacy web applications that have failed to update or replace the vulnerable library [4].
Affected Products and Mitigation
  • Affected Versions: PHPMailer versions before 5.2.18 are vulnerable?id=CVE-2016-10033?kagi_q=CVE-2016-10033+details+exploitation+threat+actors.
  • Note on Fixes: Users should be aware that an incomplete fix for this issue led to the discovery of a related vulnerability, CVE-2016-10045, which affected versions before 5.2.20 [3].
  • Mitigation: The primary mitigation is to update the PHPMailer library to a patched version (5.2.20 or later is recommended to address both CVE-2016-10033 and the subsequent CVE-2016-10045) [3]. Organizations should audit their web applications to identify and update any instances of the legacy library [2].

Sources

  1. NVD - CVE-2016-10033

    An official website of the United States government Here's how you know ... CVE-2016-10033 Detail. Description. The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code v…

  2. NVD - CVE-2016-10045

    CVE-2016-10045 Detail. Deferred.The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in…

  3. 9 Year Old Vulnerability Still Affecting Thousands (CVE-2016-10033)

    On July 07, 2025, CVE-2016-10033 was added to CISA's list of Known Exploited Vulnerabilities (CISA-KEV). ... SecurityScorecard July 7 Advisory On July 07, 2025, CVE-2016-10033 was added to CISA’s list of Known Exploited Vulnerabilities (CISA-KEV). This vulnerability is a critical vulnerability affec…

  4. 4 Critical, Known Exploited Vulnerabilities Added

    The recent addition of four older, yet actively exploited vulnerabilities (CVE-2014-3931, CVE-2016-10033, CVE-2019-5418, CVE-2019-9621) to the United States Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog highlights a critical, often underestim…

  5. CVE-2016-10033: Detection and Response Guide for 2025 - UpGuard

    Almost a decade after its discovery, the critical remote code execution vulnerability known as CVE-2016-10033 continues to pose a ... CVE-2016-10033 is a critical remote code execution vulnerability discovered in PHPMailer, an immensely popular code library for sending emails from PHP scripts. The i…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed