Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2021-3007

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|2 min read

Description

On January 2, 2021, security researcher Ling Yizhou published research detailing a remote code execution (RCE) vulnerability in Zend Framework 3.0.0. The vulnerability is also present in Zend Framework’s successor, the Laminas Project, and stems from how the frameworks can be configured to deserialize PHP objects insecurely. It must be noted that neither Zend nor Laminas is vulnerable out of the box.

According to a CheckPoint research blog, CVE-2021-3007 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.”

Affected products

  • Laminas Project laminas-http before 2.14.2
  • Zend Framework 3.0.0

Rapid7 analysis

As Bleeping Computer describes:

While the actual untrusted deserialization has to come from a vulnerable application and does not exist in Zend Framework itself, the chain of classes provided by Zend allows an attacker to achieve RCE.

As does the PoC:

Zend framework3 itself has no point to trigger deserialization, so we need to construct a vulnerability demo by ourselves to verify the poc..

The affected products are not vulnerable by default. The PoC instructs you to insert the following lines into module/Application/src/Controller/IndexController.php in order to trigger the vulnerability:

$data = $this->getRequest()->getPost('hello');
unserialize(base64_decode($data));

The vulnerability can only be exploited—in this case—when Zend deserializes the data passed through the hello parameter in a POST request.

The attacker must know an endpoint and parameter combination that accepts serialized data in order to exploit the vulnerability. It is likely mature applications will accept serialized data somewhere in the application and therefore be vulnerable. It is also likely attackers will be able to find those attack vectors with a bit of determination.

Guidance

Zend Framework or Laminas Project customers who have instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure both of the affected products are not exposed to the internet until the appropriate patches have been applied.

References

  • https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md
  • https://www.bleepingcomputer.com/news/security/zend-framework-disputes-rce-vulnerability-issues-patch/
  • https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts