External risk intelligence

ThinkPHP allows attackers to run any code on your systems through internet-facing services

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2018-25270

ThinkPHP's critical flaw lets unauthenticated attackers run any code on your servers by sending malicious web requests, potentially impacting widely deployed internet-facing applications.

4Halo Surface Signal

Remote Code Execution

Thinkphp

5.0.0 to before 5.0.235.1.31

External exposure likelihood

Halo Surface Signal score for CVE-2018-25270

ThinkPHP is a web application framework designed to build public-facing websites and APIs. This vulnerability is triggered by an HTTP request sent to the application's main entry point, index.php. Because applications built with this framework are frequently deployed to provide services over the public internet, the vulnerable surface is commonly internet-facing.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in ThinkPHP allows unauthenticated attackers to execute arbitrary commands on your server. It stems from how the framework handles routing parameters, enabling attackers to call functions through specially crafted requests. This could lead to serious compromise of your application and its underlying systems.

  • Attacker can run commands on server.
  • No login needed to exploit.
  • Affects web applications.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this vulnerability by sending specially crafted requests to the ThinkPHP application's `index.php` endpoint. This allows them to invoke arbitrary PHP functions, leading to the execution of system commands with the privileges of the running application.

  • Invokes functions via routing parameter.
  • Targets `index.php` endpoint.
  • Requires unauthenticated access.

Live Threat

Current exploitation, exposure, and threat context

This ThinkPHP vulnerability offers a direct path for unauthenticated attackers to execute arbitrary code by manipulating function calls through the routing parameter. The ease of triggering this flaw via a simple HTTP request to the application's entry point makes it an attractive target for widespread exploitation. The current threat landscape suggests that such vulnerabilities, especially those in popular web frameworks, are prime candidates for weaponization by various threat actors.

  • Public exploit code exists.
  • Internet-facing applications are common.
  • Exploitation is unauthenticated.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking all incoming requests to `index.php` on ThinkPHP v5.0.x deployments. Actively monitor network traffic and application logs for any unusual function invocations or command executions to detect potential exploitation attempts. If possible, upgrade to a patched version of ThinkPHP.

  • Block unauthenticated requests to `index.php`.
  • Monitor for suspicious function calls.
  • Upgrade to ThinkPHP 5.0.24 or later.

Frequently asked questions

What is the primary function impacted by the ThinkPHP vulnerability?

The ThinkPHP vulnerability allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. This means attackers can trick the application into running specific PHP functions they choose.

How can an attacker exploit this ThinkPHP vulnerability?

Attackers can exploit this by crafting malicious requests to the `index.php` endpoint. These requests include specific function parameters that trick ThinkPHP into executing system commands with the privileges of the application.

What versions of ThinkPHP are affected by this critical remote code execution flaw?

The vulnerability affects ThinkPHP versions from 5.0.0 up to, but not including, 5.0.23. Version 5.1.31 is also noted as affected.

What is the significance of ThinkPHP being a web application framework in relation to this vulnerability?

ThinkPHP is commonly used for public-facing websites and APIs. Because this vulnerability is triggered via HTTP requests to the application's main entry point, it frequently exposes internet-facing services, making it a widespread risk.

What is the recommended immediate action for ThinkPHP deployments using affected versions?

The recommended action is to prioritize blocking all incoming requests to `index.php` for ThinkPHP v5.0.x. Additionally, it is advised to monitor network traffic and application logs for unusual activity and to upgrade to a patched version of ThinkPHP as soon as possible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified