Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Hackers Exploit Old ThinkPHP Vulnerabilities in New Attacks

Akamai warns that a Chinese threat actor is exploiting years-old remote code execution vulnerabilities in ThinkPHP in new attacks.

Two remote code execution (RCE) vulnerabilities in ThinkPHP that were patched over five years ago are being exploited in a fresh wave of attacks, according to a warning from Akamai.

The bugs, publicly disclosed in late 2018 and early 2019 – see CVE-2018-20062 and CVE-2019-9082 – impact content management systems still using older versions of the popular open-source web application framework, and Akamai researchers say attackers are taking advantage of that.

In two attack campaigns, one running for a few days in October 2023 and another ongoing since April 2024, a Chinese-speaking threat actor has been exploiting the flaws to fetch a file from a likely compromised server in China, and to deploy a web shell on vulnerable servers.

The web shell, called Dama, allows attackers to navigate the file system and tamper with local files, harvest information, and upload files.

Post exploitation, the attackers perform network port scanning, access existing databases, and escalate privileges, including by “bypassing disabled sensitive PHP functions to escape the PHP sandbox and execute shell commands on the server,” Akamai said.

Additionally, the Dama web shell can abuse Windows task scheduler to reconfigure Windows Management Instrumentation (WMI) to add high-privileged users.

Impacting ThinkPHP prior to version 5.0.23, CVE-2018-20062 was patched in December 2018. CVE-2019-9082 impacts ThinkPHP versions before 3.2.4 and was addressed in February 2019.

Proof-of-concept (PoC) code targeting these flaws has been publicly available for over five years and both started being exploited in the wild shortly after their public disclosure.

Advertisement. Scroll to continue reading.

With the framework now at version 8.0, Akamai says organizations should patch as a matter of urgency, especially given that attackers continue to target unpatched iterations.

“The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully-fledged web shell, designed for advanced victim control. Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems,” Akamai added.

Related: Exploitation of Recent Check Point VPN Zero-Day Soars

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Progress Patches Critical Vulnerability in Telerik Report Server

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights