Active Exploits Of ThinkPHP Vulnerability Found Even After Patch

  • 114
  • 1

In December 2018, we witnessed active exploits of a ThinkPHP vulnerability. After the discoverers of this flaw posted its PoC, the vulnerability became known within 24 hours. Thus it triggered a barrage of attacks on more than 45,000 websites. While the developers released a patch for this bug, it was still being actively exploits in the wild before the patch was applied.

ThinkPHP Vulnerability Still Actively Exploited

Last month, the developers fixed a flaw in the ThinkPHP framework that threatened more than 45,000 websites. However, despite being fixed, the researcher, Larry Cashdollar, has still spotted it being actively exploited.

As stated in his blog, he was investigating Magecart card skimming attacks when he noticed something else. Scratching the surface revealed to him that there were multiple active exploits of ThinkPHP vulnerability.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware.”

Precisely, he found multiple payload variations attempting to achieve different malicious goals. This includes crypto mining, web shell backdoor, and other malware attacks. The target machines include Windows, Linux and IoT devices. He further explained about the payloads outlined in his report:

“…it appears the Linux infections build a botnet with lot of similarities to Mirai.  Windows infections appear to be involved in Crypto Mining activities, trojans, and additional features such as windows password cracking capabilities.”

According to his findings, most active exploits are happening in Asia-Pacific – the region from where the ThinkPHP framework originated. However, the attacks do not specifically limit to this area. Rather the attackers are also targeting other locations, including Europe. Precisely, the attackers seem busy in finding as many vulnerable devices as they can for mining Bitcoin and Monero.

“The majority of the attacking IPs are compromised web servers, routers and, IoT devices.”

About The ThinkPHP Web Framework Vulnerability

ThinkPHP flaw made it to the news when multiple reports of active exploits of the flaw surfaced online. As revealed last month, a threat group with alias “D3cemb3r” attacked more than 45,000 Chinese websites to spread Miori IoT malware.

The vulnerability primarily exists in the ThinkPHP framework – a web framework developed in China. This remote execution flaw (CVE-2018-20062) enables a potential attacker to execute arbitrary codes. As described by FortiGuard Labs,

“The vulnerability is a result of the application’s failure to properly sanitize user request. As a result, a remote attacker can send a crafted HTTP request to execute arbitrary code on a vulnerable server.”

The flaw targeted the ThinkPHP versions 5.0 and 5.1. The developers then patched the flaw in the recent versions.

However, even after the patch, Cashdollar discovered the continued exploitation of the flaw. Regarding possible remediation, DarkReading stated that he recommends immediate software upgrade to the current patched version of ThinkPHP framework.


Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!