Introduction
A critical unauthenticated remote code execution flaw in ThinkPHP 5.0.23 has been actively exploited by threat actors since December 2018, and campaigns leveraging this vulnerability were still observed as recently as June 2024. With a CVSS score of 9.8, CVE-2018-25270 allows attackers to execute arbitrary system commands on the server by simply crafting a malicious HTTP request to the application's index.php endpoint.
ThinkPHP is an open source PHP web application framework created in 2006 and released under the Apache2 license. It is extremely widely used in China, making it a significant target in that region's threat landscape. The framework is developed and maintained by Shanghai Topthink Information Technology Company and distributed via GitHub and Packagist.
Technical Information
The root cause of CVE-2018-25270 lies in how ThinkPHP's routing mechanism processes controller names and function invocations. The framework exposes an invokeFunction method that can be reached through URL routing parameters. When a request is made to the index.php endpoint, the framework parses the routing parameters to determine which controller and method to invoke. The critical flaw is that this parsing logic does not properly validate or restrict which functions can be called through the routing parameter.
An attacker exploits this by constructing an HTTP request that passes arbitrary PHP function names and their arguments through the URL routing structure. Because the framework fails to sanitize the controller name, it treats the attacker supplied input as a legitimate function invocation. The invokeFunction method then executes the specified PHP function directly on the server.
Attack Flow
- The attacker identifies a ThinkPHP 5.0.23 (or earlier) instance exposed to the network, typically by fingerprinting the framework through default responses or error pages.
- The attacker crafts an HTTP request to the
index.phpendpoint. The request includes routing parameters that reference theinvokeFunctionmethod along with a dangerous PHP function (such assystemorexec) and the desired command as an argument. - The ThinkPHP routing engine receives the request and incorrectly processes the controller name, failing to validate that the target function is restricted.
- The framework invokes the attacker specified function with the supplied arguments, executing arbitrary commands on the underlying operating system with the privileges of the web application process.
- The command output is returned to the attacker in the HTTP response, confirming successful code execution.
No authentication is required at any point in this chain. The entire attack can be carried out with a single HTTP request.
Overlapping Vulnerabilities
It is worth noting that ThinkPHP 5.x has multiple overlapping RCE vulnerabilities across different minor versions, all related to controller name processing and routing parameter handling. The specific invokeFunction vector in version 5.0.23 is one instance of a broader pattern of insufficient input validation in the framework's routing layer.
Affected Systems and Versions
| Framework Branch | Vulnerable Versions | Fixed Version | Vulnerability Mechanism |
|---|---|---|---|
| ThinkPHP 5.0 | 5.0.23 and earlier | 5.0.24 | Routing parameter invokeFunction RCE |
| ThinkPHP 5.0 | 5.0.22 and earlier | 5.0.23 | Controller name processing |
| ThinkPHP 5.1 | 5.1.29 and earlier | 5.1.30 or later | Controller name processing |
Organizations should verify their exact ThinkPHP version number carefully. The overlapping nature of these vulnerabilities across minor versions means that partial upgrades may leave systems exposed to a different but equally critical RCE vector.
Vendor Security History
ThinkPHP has a documented history of critical remote code execution vulnerabilities in its 5.x branch. On December 17, 2018, the vendor published a blog post announcing an update that addressed a high risk RCE vulnerability. The rapid adoption of exploits by threat actors following that disclosure indicates that the vulnerability was straightforward to weaponize. The existence of multiple related RCE flaws across versions 5.0.22, 5.0.23, 5.1.29, and their respective fixes suggests a systemic issue with input validation in the framework's routing and controller subsystems during this era of development.
References
- NVD Entry for CVE-2018-25270
- ThinkPHP Framework GitHub Repository
- ThinkPHP Official Website
- Exploit DB: ThinkPHP 5.0.23/5.1.31 Remote Code Execution
- VulnCheck Advisory: ThinkPHP Remote Code Execution via invokefunction
- Vulhub: ThinkPHP 5.0.23 RCE Environment
- Acunetix: ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
- F5 Community: ThinkPHP 5.x Remote Code Execution Vulnerability
- Akamai: Old CVEs, New Targets, Active Exploitation of ThinkPHP
- Qualys: ThinkPHP Remote Code Execution Vulnerability
- NSFOCUS: ThinkPHP Remote Code Execution Vulnerability Handling Guide
