Key Points

1. Only a few days after the ThinkPHP vulnerability was discovered, it is already being exploited on the Internet.
2. Almost 46,000 servers, most of which are located in China, are potential targets for this exploit.
3. Multiple campaigns have been launched simultaneously by different threat actors, which might suggest the infection potential.
4. Campaigns vary from reconnaissance and uploading of back doors to deploying a variant of the Mirai IoT malware.

F5 researchers have observed multiple new campaigns leveraging a very recent exploit against ThinkPHP, a popular PHP framework in China. Within days of its discovery, the vulnerability had already been exploited in the wild by multiple threat actors. With this vulnerability, we see a pattern similar to those we have seen in other RCE vulnerabilities, such as Apache Struts 2 – CVE-2017-5638 mentioned last year, where attackers rushed to capitalize on the time it takes organizations to patch and profit from it. New ThinkPHP vulnerability campaigns with a variety of purposes are being launched every couple of days. In our experience, although rapidly deployed, these campaigns can last for more than a year.

Remote Code Execution Vulnerability

On December 9, ThinkPHP released a security update stating that a recent vulnerability had been patched. According to ThinkPHP (translated from Chinese), “Because the framework does not detect the controller name enough, it may lead to possible ‘getshell’ vulnerabilities without the forced routing enabled.” After looking into the vulnerable code, it is clear that this vulnerability stems from a non-validated input, which allows an attacker to trigger an app.invokefunction function to actually run any desired functions on the affected system. This vulnerability affects versions 5.0 and 5.1 and was fixed in versions 5.0.23 and 5.1.31.