CVE-2019-11043

Home/CVE/PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

CVE

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

HIGH · CVSS 8.7 ⚠ CISA KEV EPSS 0.94053 Ransomware: known

Act now

Listed on CISA KEV (known exploited in the wild)
Linked to known ransomware campaigns
SSVC exploitation status: active
EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 0% of all CVEs by exploitation likelihood
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬢

Required Remediation

Apply updates per vendor instructions.

⬡

Weakness Classification

CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-787Out-of-bounds Write

▤

Affected Products & Versions

php>= 7.1.0 and < 7.1.33
php>= 7.2.0 and < 7.2.24
php>= 7.3.0 and < 7.3.11
canonical ubuntu linuxall versions
debian linuxall versions
fedoraproject fedoraall versions
tenable tenable.sc< 5.19.0
redhat software collectionsall versions
Show all 24 affected productsredhat enterprise linuxall versions
redhat enterprise linux desktopall versions
redhat enterprise linux eusall versions
redhat enterprise linux eus compute nodeall versions
redhat enterprise linux for arm 64all versions
redhat enterprise linux for arm 64 eusall versions
redhat enterprise linux for ibm z systemsall versions
redhat enterprise linux for ibm z systems eusall versions
redhat enterprise linux for power big endianall versions
redhat enterprise linux for power big endian eusall versions
redhat enterprise linux for power little endianall versions
redhat enterprise linux for power little endian eusall versions
redhat enterprise linux for scientific computingall versions
redhat enterprise linux serverall versions
redhat enterprise linux server ausall versions
redhat enterprise linux server tusall versions

⚠

Public Exploits & PoCs

remotePHP-FPM - Underflow Remote Code Execution (Metasploit)verified
webappsPHP-FPM + Nginx - Remote Code Execution2019-10-28
pocpacketstormsecurity.com · PHP-FPM-7.x-Remote-Code-Execution.htmlpacketstormsecurity.com
pocbugs.php.net · bug.php?id=78599bugs.php.net
pocgithub.com · phuip-fpizdamgithub.com

◈

Detection Rules (IDS/IPS)

et-openET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)web-application-attack

Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

▣

Scoring & Timeline

8.7

HIGH · CVSS v3.1 · security@php.net

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD28 Oct 2019 · 03:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

suse-csafopenSUSE-SU-2024:11167-1
suse-csafopenSUSE-SU-2024:11169-1
suse-csafSUSE-SU-2022:4067-1
cisaKEV-CVE-2019-11043
suse-csafSUSE-SU-2020:0522-1
Show all 22 vendor advisoriessuse-csafopenSUSE-SU-2019:2457-1
suse-csafSUSE-SU-2019:2909-1
suse-csafopenSUSE-SU-2019:2441-1
suse-csafSUSE-SU-2019:2819-1
usnUSN-4166-2
suse-csafSUSE-SU-2019:2809-1
usnUSN-4166-1
rhsaRHSA-2020:0322Critical
rhsaRHSA-2019:3287Critical
rhsaRHSA-2019:3299Critical
rhsaRHSA-2019:3300Critical
rhsaRHSA-2020:2835Critical
rhsaRHSA-2019:3286Critical
rhsaRHSA-2019:3735Critical
rhsaRHSA-2019:3724Critical
rhsaRHSA-2019:3736Critical
cisa-csafcisa-csaf-csaf_files-OT-white-2026-icsa-26-027-02

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.htmlMailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.htmlMailing ListThird Party Advisory

http://seclists.org/fulldisclosure/2020/Jan/40Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/Mailing ListThird Party Advisory

Show all 17 references

https://seclists.org/bugtraq/2020/Jan/44Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20191031-0003/Third Party Advisory

https://support.apple.com/kb/HT210919Third Party Advisory

https://support.f5.com/csp/article/K75408500?utm_source=f5support&ampThird Party Advisory

https://usn.ubuntu.com/4166-1/Third Party Advisory

https://usn.ubuntu.com/4166-2/Third Party Advisory

https://www.debian.org/security/2019/dsa-4552Mailing ListThird Party Advisory

https://www.debian.org/security/2019/dsa-4553Mailing ListThird Party Advisory

https://www.synology.com/security/advisory/Synology_SA_19_36Third Party Advisory

https://www.tenable.com/security/tns-2021-14Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11043US Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin