ThinkPHP 5.0.23 unauthenticated remote code execution (CVE-2018-25270)

Patch now - CVE-2018-25270 is a critical remote code execution vulnerability in ThinkPHP 5.0.23 that gives unauthenticated attackers complete control of the server by simply sending a crafted HTTP request. Upgrade to version 5.0.24 immediately to block this exploit.

Overview

A critical vulnerability in ThinkPHP 5.0.23 enables unauthenticated remote code execution (RCE). Attackers can send specially crafted web requests to the framework’s index.php endpoint, tricking it into executing arbitrary PHP code with the privileges of the web application.

Vulnerability Details

The flaw resides in how ThinkPHP 5.0.23 handles routing parameters. By manipulating these parameters in an HTTP request, an attacker can invoke internal functions in a way that leads to the execution of arbitrary system commands. No authentication is required, and the attack complexity is low, making this vulnerability highly accessible to threat actors. The Common Vulnerability Scoring System (CVSS) rates this a 9.8 (Critical).

Impact

Successful exploitation grants an attacker the ability to run any command on the server that the web application’s user account can execute. This can lead to a complete compromise of the affected server, including data theft, installation of malware or backdoors, and use of the server as a foothold for further attacks within the network.

Affected Versions

This vulnerability specifically affects ThinkPHP version 5.0.23. All deployments using this version are at risk.

Remediation and Mitigation

The primary and most effective remediation is to upgrade ThinkPHP immediately.

Patch: Upgrade to ThinkPHP version 5.0.24 or any subsequent secure version. This update contains the necessary fix.

Immediate Action:

1. Identify all applications built with ThinkPHP 5.0.23.
2. Apply the vendor update to version 5.0.24 or higher without delay.
3. If immediate patching is impossible, consider implementing a Web Application Firewall (WAF) with rules to block malicious patterns targeting this vulnerability. This is a temporary mitigation, not a substitute for patching.

After patching, review servers for any signs of compromise, such as unfamiliar files, processes, or network connections. For more on incident response, you can review past breach reports.

Security Insight

This vulnerability is a stark example of the risks in popular web application frameworks where a single flaw can expose countless deployments. It mirrors past incidents in other frameworks where improper input handling in core routing mechanisms led to widespread RCE. Such flaws underscore the critical importance of subscribing to security advisories for all software components in your stack, not just the operating system. For ongoing coverage of similar threats, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs