Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Actively Scanning for ThinkPHP Vulnerability, Akamai Says

There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals. 

There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals. 

ThinkPHP, a web framework by TopThink, is a Chinese-made PHP framework used by a large number of web developers in the country. In early December 2018, the framework was revealed to be impacted by a remote code execution bug that could allow an attacker to take over a vulnerable server. 

The issue was that user input was not properly sanitized, thus allowing an unauthenticated user to specify their own filter function to execute. 

“An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/thinkRequest/input&filter=phpinfo&data=1 query string,” the flaw’s MITRE page reads. 

Tracked as CVE-2018-20062, the vulnerability started being targeted immediately after proof-of-concept (PoC) code for it was published on December 11. Security researchers noticed an increase in scans for the vulnerability within days.

Now, Akamai notes that they have observed widespread scanning for the ThinkPHP vulnerability, and that multiple actors target the flaw to install “everything from a Mirai-like botnet to Microsoft Windows malware.” 

Other identified payloads include web shell backdoors and crypto currency mining software, as well as malware featuring distributed denial of service, spam and phishing capabilities, and data exfiltration functionality, and tools capable of harvesting Windows credentials (Mimkatz). 

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency,” Akamai’s Larry Cashdollar says. 

The security researcher also suggests that there will be “more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.” On top of that, WordPress plugin vulnerabilities also appear to be making their way into the IoT exploitation Swiss army knife, he says. 

Related: Vulnerability Allowed Fortnite Account Takeover Without Credentials

Related: Windows Kernel Vulnerability Exploited in Attacks

Related: Vulnerability Exposes Rockwell Controllers to DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone


An Italy-based firm's hacking tools were used to spy on Apple and Android smartphones in Italy and Kazakhstan, Google said Thursday, casting a light...


Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 


Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions...


Steven Mnuchin’s Liberty Strategic Capital acquires majority stake in Dallas, Texas-based Zimperium