System	Score	Found at
epss	0.36057	https://api.first.org/data/v1/epss?cve=CVE-2009-1285
epss	0.36057	https://api.first.org/data/v1/epss?cve=CVE-2009-1285
epss	0.36057	https://api.first.org/data/v1/epss?cve=CVE-2009-1285

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1285.json
		https://api.first.org/data/v1/epss?cve=CVE-2009-1285
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1285
495768		https://bugzilla.redhat.com/show_bug.cgi?id=495768
524804		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524804

Data source	Metasploit
Description	This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x <= 2.11.9.4 and 3.x <= 3.1.3. There was a follow up vulnerability as the patch was incomplete, affecting versions 3.x <= 3.1.3.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.
Note	Reliability: - repeatable-session Stability: - crash-safe SideEffects: - config-changes
Ransomware campaign use	Unknown
Source publication date	March 24, 2009
Platform	PHP
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/phpmyadmin_config.rb

There are no known vectors.

Percentile	0.97182
EPSS Score	0.36057
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T17:07:09.935660+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	38.6.0