What happened

CISA added CVE-2016-10033 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-07-07, triggering mandatory remediation timelines for federal agencies. CISA KEV

The vulnerability is a command injection in PHPMailer’s use of PHP’s mail() transport inside class.phpmailer.php, allowing attacker-controlled input to reach a shell context and execute arbitrary code in the application’s security boundary. NVD entry The CVE entry confirms active exploitation as a condition for KEV inclusion. CISA KEV

CISA’s record characterizes the issue succinctly: PHPMailer fails to sanitize user-supplied input in the mail() path, enabling command injection that can lead to remote code execution (with failed attempts potentially causing denial-of-service). CISA KEV

Why it matters

This is not a fringe plugin flaw; it sits in a core email-sending library frequently embedded as a third-party component across products and custom applications. CISA flags this class of issue as affecting open-source components that can propagate into many downstream implementations. CISA KEV

Command injection through email transport routines is high-impact: attackers can pivot from a single web request to code execution under the app’s user, sidestepping typical perimeter controls. NVD entry Given KEV status, opportunistic exploitation is expected wherever legacy PHPMailer code is present and exposed. CISA KEV

Technical detail

Root cause: PHPMailer’s class.phpmailer.php channeling untrusted input into the PHP mail() implementation, which historically invokes a local sendmail-compatible binary and permits shell-argument injection if parameters aren’t strictly sanitized. MITRE CVE The flaw maps to command injection classes CWE-77 (Command Injection) and CWE-88 (Argument Injection). NVD entry

Impact: An attacker can execute arbitrary commands within the web application context, achieving remote code execution. If exploitation fails (e.g., malformed payloads), it can still crash or hang the mail path, causing application-level denial-of-service. NVD entry

Exploit surface: Any PHP application path that accepts user input and passes it into PHPMailer’s mail() transport without robust normalization. That includes endpoints handling contact forms, registration flows, or password resets—if they rely on vulnerable PHPMailer mail() code and do not sanitize fields before invoking it. NVD entry

Fix status: The upstream project issued patches, with the GitHub Security Advisory documenting the vulnerability and mitigations. Patched versions are provided in the advisory details for PHPMailer (historically fixed around the 5.2.18 line). GitHub Advisory GHSA-5f37-gxvh-23v6 The NVD record corroborates vendor remediation availability. NVD entry

Defense

Prioritize patching per KEV: inventory all applications bundling PHPMailer and update to a patched release as directed by the vendor/advisory. Federal programs should align with CISA’s remediation due date and BOD 22-01 guidance. CISA KEV GitHub Advisory GHSA-5f37-gxvh-23v6

Architectural controls:

• Prefer safe transports and libraries that avoid shell invocation pathways, or ensure strict parameter sanitation before any mail transport call. NVD entry
• Enforce allowlists for email header fields and strip control characters to minimize injection surface in mail routines. MITRE CVE

Detection and response:

• Monitor PHP application hosts for abnormal mail/sendmail executions spawned by web worker processes (e.g., sudden spikes or unexpected flags), as this is consistent with command/argument injection abuse through mail() pathways. NVD entry
• Inspect web logs for anomalous input containing shell metacharacters delivered to email-handling endpoints; correlate with PHP error logs for mail() failures that coincide with user-controlled fields. MITRE CVE
• If compromise is suspected, treat the app boundary as breached: rotate secrets, review persistence on the web host, and reimage where appropriate. Align remediation urgency with KEV inclusion. CISA KEV

Lyrie Verdict

CVE-2016-10033 is a classic shell-argument injection in a mail transport path that attackers automate at scale once a vulnerable endpoint is found. KEV confirmation means scanning and exploitation are in circulation now. CISA KEV

Lyrie’s autonomous sensors are tuned for this class of RCE: we track tainted user input traversing to process-spawn points and mail transports, flagging shell metacharacters and anomalous argument vectors in near-real time. That includes behavioral detections for PHP workers invoking sendmail-like binaries with attacker-sourced parameters, and cross-correlating with HTTP request provenance to auto-block the source when thresholds are met. NVD entry We fuse KEV intel to raise risk for unpatched PHPMailer signatures, accelerating containment and enforcing machine-speed quarantine before the first human ticket is cut. MITRE CVE