ThinkPHP RCE Vulnerabilities (CVE-2019-9082, CVE-2018-20062) Actively Exploited in the Wild

Description

Update: 4/26

FortiEDR KB article "Threat Coverage: FortiEDR mitigates the risk of post-exploitation activity associated with exploitation of zero day vulnerabilities and unknown malware" added to APPENDIX section. The "What is the Status of Protection?" section has been updated with additional coverage information.


FortiGuard Labs is observing active exploitation of several ThinkPHP remote code execution vulnerabilities (CVE-2019-9082 and CVE-2018-20062). Successful exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the affected system. Both vulnerabilities are on CISA's Known Exploited Vulnerabilities (KEV) catalog.


Why is this Significant?

This is significant because active exploitation of CVE-2019-9082 and CVE-2018-20062 is being observed. Also, Proof-of-Concept (PoC) code is publicly available for both vulnerabilities. They are on CISA's Known Exploited Vulnerabilities (KEV) catalog. As such, patches should be applied as soon as possible.


What is CVE-2019-9082?

CVE-2019-9082 is a PHP injection vulnerability that affects ThinkPHP prior to version 3.2.4. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 8.8.


What is CVE-2018-20062?

CVE-2018-20062 is a PHP injection vulnerability that affects ThinkPHP prior to version 5.0.23. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 9.8.


Is Patch Available for CVE-2019-9082 and CVE-2018-20062?

Yes, patch is available for both CVE-2019-9082 and CVE-2018-20062.


What is the Status of Protection?

FortiGuard Labs has the following IPS signatures in place for CVE-2019-9082 and CVE-2018-20062:

  • ThinkPHP.Controller.Parameter.Remote.Code.Execution

FortiGuard Labs FortiEDR product will provide post exploitation protection against known ThinkPHP vulnerabilities.

description-logoOutbreak Alert

A remote code execution vulnerability exists within multiple subsystems of ThinkPHP 5.0.x and 5.1.x. The FortiGuard Labs continue seeing high exploitation attempts of these old vulnerabilities of more than 50,000 IPS device detections per day. There are multiple actors abusing this flaw to install malware such as Mirai like botnet, Lucifer, Cryptocurrency miners.

View the full Outbreak Alert Report