Connect with us

Hi, what are you looking for?



Hackers Actively Scanning for ThinkPHP Vulnerability, Akamai Says

There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals. 

There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals. 

ThinkPHP, a web framework by TopThink, is a Chinese-made PHP framework used by a large number of web developers in the country. In early December 2018, the framework was revealed to be impacted by a remote code execution bug that could allow an attacker to take over a vulnerable server. 

The issue was that user input was not properly sanitized, thus allowing an unauthenticated user to specify their own filter function to execute. 

“An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/thinkRequest/input&filter=phpinfo&data=1 query string,” the flaw’s MITRE page reads. 

Tracked as CVE-2018-20062, the vulnerability started being targeted immediately after proof-of-concept (PoC) code for it was published on December 11. Security researchers noticed an increase in scans for the vulnerability within days.

Now, Akamai notes that they have observed widespread scanning for the ThinkPHP vulnerability, and that multiple actors target the flaw to install “everything from a Mirai-like botnet to Microsoft Windows malware.” 

Other identified payloads include web shell backdoors and crypto currency mining software, as well as malware featuring distributed denial of service, spam and phishing capabilities, and data exfiltration functionality, and tools capable of harvesting Windows credentials (Mimkatz). 

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency,” Akamai’s Larry Cashdollar says. 

Advertisement. Scroll to continue reading.

The security researcher also suggests that there will be “more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.” On top of that, WordPress plugin vulnerabilities also appear to be making their way into the IoT exploitation Swiss army knife, he says. 

Related: Vulnerability Allowed Fortnite Account Takeover Without Credentials

Related: Windows Kernel Vulnerability Exploited in Attacks

Related: Vulnerability Exposes Rockwell Controllers to DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.

Cybersecurity Funding

Silk Security raised $12.5 million in seed funding and is on a mission to break down the silos between security and development with an...


ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.


Exploitation of a critical vulnerability (CVE-2023-46747) in F5’s  BIG-IP product started less than five days after public disclosure and PoC exploit code was published.


Thomas McCormick, aka fubar, an administrator of the Darkode hacking forum, has been sentenced to 18 months in prison.