SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Old ThinkPHP, OwnCloud Vulnerabilities Surges

Threat actors are increasingly exploiting two old vulnerabilities in ThinkPHP and OwnCloud in their attacks.

Threat actors have been ramping up the exploitation of two old vulnerabilities in ThinkPHP and OwnCloud, threat intelligence firm GreyNoise warns.

The ThinkPHP issue, tracked as CVE-2022-47945 (CVSS score of 9.8), is described as a local file inclusion flaw via the ‘lang’ parameter. It affects the ThinkPHP framework iterations prior to version 6.0.14 that have the language pack feature enabled.

“An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands,” a NIST advisory reads.

The security defect is not included in US cybersecurity agency CISA’s Known Exploited Vulnerabilities (KEV) catalog and has not drawn much attention, although threat actors have been exploiting it in the wild, GreyNoise notes.

The OwnCloud bug, tracked as CVE-2023-49103 (CVSS score of 10) and affecting the ‘graphapi’ app, leads to the disclosure of the PHP environment’s configuration details (phpinfo) through a URL in a third-party library.

Exploitation of the vulnerability started only days after its public disclosure in November 2023, when Shadowserver Foundation warned that there were roughly 11,000 OwnCloud instances exposed to the internet.

CISA added CVE-2023-49103 to the KEV catalog on November 30, 2023, and warned roughly one year later that it had become one of the top routinely exploited vulnerabilities.

According to GreyNoise, the threat activity around both vulnerabilities has surged significantly over the past 10 days, as attackers are scanning for vulnerable instances and attempting to exploit them.

Advertisement. Scroll to continue reading.

The threat intelligence firm says it has observed 572 unique IPs attempting to exploit the ThinkPHP bug and 484 unique IPs targeting the OwnCloud defect.

Organizations are advised to apply the available patches for both ThinkPHP and OwnCloud, to reduce their attack surface by limiting access to vulnerable services, and to monitor and block known malicious IPs.

Related: Trimble Cityworks Customers Warned of Zero-Day Exploitation

Related: CISA Issues Exploitation Warning for .NET Vulnerability

Related: Exploitation of Over 700 Vulnerabilities Came to Light in 2024

Related: Adobe Patches ColdFusion Flaw at High Risk of Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

SplxAI, a startup focused on securing AI agents, has announced new CISO Sandy Dunn.

Phillip Miller is joining tax preparation giant H&R Block as VP and CISO.

Linx Security has appointed Sarit Reiner Frumkes as Chief Technology Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.