CISA Warns of PHPMailer Command Injection Vulnerability Exploited in Attacks

Key Takeaways
1. CVE-2016-10033 in PHPMailer allows attackers to execute arbitrary code through command injection in the mail() function.
2. The vulnerability is being exploited in live cyberattacks, risking system compromise and data breaches.
3. Organizations must fix this by July 28, 2025, after CISA's July 7 warning.
4. Upgrade to PHPMailer v5.2.18+ or discontinue use of vulnerable versions immediately.

CISA has issued an urgent warning regarding a critical command injection vulnerability in PHPMailer that is being actively exploited in cyberattacks. 

The vulnerability, tracked as CVE-2016-10033, poses significant risks to web applications worldwide that rely on the popular PHP-based email library. 

CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 7, 2025, with organizations required to implement fixes by July 28, 2025.

PHPMailer Command Injection Vulnerability

The PHPMailer command injection vulnerability stems from inadequate input sanitization within the library’s core functionality. 

Specifically, the flaw affects the mail() function in the class.phpmailer.php script, where user-supplied input is not properly validated before being processed. 

This security weakness allows attackers to inject malicious commands that execute within the application’s context, potentially leading to complete system compromise.

The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-88 (Improper Neutralization of Argument Delimiters in a Command), highlighting the fundamental input validation failures that enable the attack. 

When exploitation attempts fail, they can result in denial-of-service conditions, disrupting normal application operations. 

The technical nature of this vulnerability makes it particularly dangerous as PHPMailer is widely integrated into content management systems, web applications, and enterprise software solutions.

Cybercriminals are leveraging this vulnerability to execute arbitrary code on vulnerable systems, though the specific details of current attack campaigns remain under investigation. 

The command injection occurs when malicious input bypasses the library’s security controls, allowing attackers to run unauthorized commands on the hosting server. 

While CISA has not confirmed whether this vulnerability is being used in ransomware campaigns, the potential for such exploitation remains a significant concern given the widespread deployment of PHPMailer.

The vulnerability’s exploitation can lead to data breaches, unauthorized access to sensitive information, and complete server takeover. 

Organizations using affected PHPMailer versions face immediate risks, particularly those with internet-facing applications that process user input through email functionality.

Mitigation Strategies

CISA strongly recommends that organizations immediately apply vendor-provided mitigations and security patches. 

For cloud service deployments, administrators should follow BOD 22-01 guidance to ensure comprehensive protection. 

Organizations unable to implement available mitigations should consider discontinuing use of vulnerable PHPMailer implementations until proper security measures can be deployed.

The vulnerability affects PHPMailer versions prior to v5.2.18, and organizations should upgrade to the latest secure version immediately. 

Security teams should prioritize this vulnerability in their patching schedules and conduct thorough assessments of all applications utilizing PHPMailer functionality to ensure complete remediation across their infrastructure.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free