Outbreak AlertThinkPHP Remote Code Execution Vulnerability
Open source PHP framework vulnerabilities still being exploited in the wild
A remote code execution vulnerability exists within multiple subsystems of ThinkPHP 5.0.x and 5.1.x. The FortiGuard Labs continue seeing high exploitation attempts of these old vulnerabilities of more than 50,000 IPS device detections per day. There are multiple actors abusing this flaw to install malware such as Mirai like botnet, Lucifer, Cryptocurrency miners. Learn More »
Common Vulnerabilities and Exposures
Background
ThinkPHP is a free framework distributed under the Apache2 open-source license primarily used for Web application development and simplifying enterprise application development. Both of the CVE-2019-9082 and CVE-2018-20062 are on CISA's list of known exploited vulnerabilities (KEV) added in the year 2021 and successful exploitation of the flaws could allow a remote attacker to execute arbitrary code on the affected system.
Threat Radar Overall Score:
 |
CVSS Rating | 9.0 |
 |
FortiRecon Score | 92/100 |
 |
Known Exploited | Yes |
 |
Exploit Prediction Score | 97.45% |
 |
FortiGuard Telemetry | 70014 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Dec 10, 2018: CVE-2018-20062, flaw discovered in noneCMS ThinkPHP.
https://github.com/nangge/noneCms/issues/21
Jan 11, 2019: CVE-2019-9082, flaw discovered in ThinkPHP package.
https://github.com/suitablecodes/open_source_bms/issues/33
Nov 03, 2021: CVE-2019-9082 and CVE-2018-20062, added to CISA's known exploited list.
FortiGuard customers remain protected by the IPS signature which was first released in 2018 and last updated in 2021. With IPS detections still at large in 2023 and online exploit availability for the CVEs, FortiGuard labs recommends users to immediately review and upgrade the vulnerable version of ThinkPHP to 5.0.23 / 5.1.31 and above.
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
AV
-
AV (Pre-filter)
-
Behavior Detection
-
IPS
-
Outbreak Detection
-
Threat Hunting
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
| Indicator | Type | Status |
|---|---|---|
| http://31.210.20.120/ldr.sh | url | Active |
| http://194.145.227.21/ldr.sh | url | Active |
| http://194.145.227.21/sysrv | url | Active |
| 194.145.227.21 | ip | Active |
| 202.28.229.174 | ip | Active |
| http://202.28.229.174/sys.x86_64 | url | Active |
| http://202.28.229.174/ap.sh | url | Active |
| http://202.28.229.174/root.sh | url | Active |
| http://202.28.229.174/ap.txt | url | Active |
| http://194.145.227.21/sysrv.x86_64 | url | Active |
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
References
Sources of information in support and relation to this Outbreak and vendor.