virus logo Threat Signal Report

ThinkPHP RCE Vulnerabilities (CVE-2019-9082, CVE-2018-20062) Actively Exploited in the Wild

Description

Update: 4/26

FortiEDR KB article "Threat Coverage: FortiEDR mitigates the risk of post-exploitation activity associated with exploitation of zero day vulnerabilities and unknown malware" added to APPENDIX section. The "What is the Status of Protection?" section has been updated with additional coverage information.


FortiGuard Labs is observing active exploitation of several ThinkPHP remote code execution vulnerabilities (CVE-2019-9082 and CVE-2018-20062). Successful exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the affected system. Both vulnerabilities are on CISA's Known Exploited Vulnerabilities (KEV) catalog.


Why is this Significant?

This is significant because active exploitation of CVE-2019-9082 and CVE-2018-20062 is being observed. Also, Proof-of-Concept (PoC) code is publicly available for both vulnerabilities. They are on CISA's Known Exploited Vulnerabilities (KEV) catalog. As such, patches should be applied as soon as possible.


What is CVE-2019-9082?

CVE-2019-9082 is a PHP injection vulnerability that affects ThinkPHP prior to version 3.2.4. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 8.8.


What is CVE-2018-20062?

CVE-2018-20062 is a PHP injection vulnerability that affects ThinkPHP prior to version 5.0.23. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 9.8.


Is Patch Available for CVE-2019-9082 and CVE-2018-20062?

Yes, patch is available for both CVE-2019-9082 and CVE-2018-20062.


What is the Status of Protection?

FortiGuard Labs has the following IPS signatures in place for CVE-2019-9082 and CVE-2018-20062:

  • ThinkPHP.Controller.Parameter.Remote.Code.Execution

FortiGuard Labs FortiEDR product will provide post exploitation protection against known ThinkPHP vulnerabilities.

description-logoOutbreak Alert

A remote code execution vulnerability exists within multiple subsystems of ThinkPHP 5.0.x and 5.1.x. The FortiGuard Labs continue seeing high exploitation attempts of these old vulnerabilities of more than 50,000 IPS device detections per day. There are multiple actors abusing this flaw to install malware such as Mirai like botnet, Lucifer, Cryptocurrency miners.

View the full Outbreak Alert Report

Telemetry

Appendix

Outbreak Alert: ThinkPHP Remote Code Execution Vulnerability (Fortinet)

ThinkPHP.Controller.Parameter.Remote.Code.Execution (Fortinet)

Threat Coverage: FortiEDR mitigates the risk of post-exploitation activity associated with exploitation of zero day vulnerabilities and unknown malware (Fortinet)

CVE-2019-9082 (MITRE)

CVE-2018-20062 (MITRE)

CVE-2019-9082 (NIST)

CVE-2018-20062 (NIST)


ID 32
Date Apr 19, 2023
Outbreak Alert ThinkPHP RCE
CVE ID CVE-2019-9082
CVE-2018-20062
Threat/
Vulnerability		 Vulnerability
FortiGate Device Triggered n/a
Threat Actor Type Unknown
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert