CVE-2019-9082
published 2019-02-24CVE-2019-9082: ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
97.42%
99.9th percentile
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm1 | 1.14.6-1ubuntu0.1~esm1 |
| opensourcebms | open_source_background_management_system | — | — |
| thinkphp | thinkphp | < 3.2.4 | 3.2.4 |
| zzzcms | zzzphp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20thinkphp%20%7C%20rev↗
urlpublic//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=↗
command_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo%20thinkphp%20%7C%20rev↗
- →Detect exploitation attempts by matching the invokefunction RCE pattern in HTTP GET requests to index.php with the s parameter routing to \think\app/invokefunction combined with call_user_func_array and system. ↗
- →Detect the POST-based exploitation variant targeting /index.php?s=captcha with body containing _method=__construct&filter[]=system, which abuses the ThinkPHP __construct filter chain for RCE. ↗
- →Successful exploitation response contains the string 'phpkniht' (reverse of 'thinkphp') in the HTTP response body — use this as a confirmation matcher. ↗
- →Hunt for downloads of 'public.txt' from Hong Kong-based IPs followed by creation of 'roeter.php' on the server — this is the Dama web shell deployment pattern observed in active campaigns. ↗
- →The Dama web shell uses the password 'admin' for its authentication step — monitor for POST requests to roeter.php with this credential. ↗
- →CVE-2019-9082 exploitation is frequently chained with CVE-2018-20062 in the same campaign; detections should correlate both exploit patterns from the same source IP. ↗
- →Use FOFA query app="ThinkPHP" and Google dork inurl:"index.php?s=" "thinkphp" to identify exposed ThinkPHP instances for proactive asset discovery and monitoring. ↗
- →CVE-2019-9082 exploitation has been observed delivering Golang-based Monero cryptominers; correlate ThinkPHP RCE alerts with outbound connections to mining pools. ↗
- →Compromised servers delivering the Dama web shell payload are themselves infected with the same shell and located in Hong Kong — treat Hong Kong-originating downloads of .txt files to web-accessible directories as high-priority alerts. ↗
- ·The Nuclei template uses stop-at-first-match across two distinct exploit methods (GET invokefunction and POST captcha/__construct); ensure WAF/IDS rules cover both HTTP methods and both URL paths independently. ↗
- ·The exploit-db entry (46488) attributes CVE-2019-9082 to a CSRF in zzzphp CMS 1.6.1, which differs from the NVD/Nuclei attribution to ThinkPHP RCE — verify the correct CVE mapping before deploying signatures, as the same CVE ID covers different attack surfaces depending on the source. ↗
- ·The Dama web shell bypasses disabled PHP functions for shell command execution, meaning PHP disable_functions hardening alone is insufficient to contain post-exploitation activity. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv5.5MEDIUM
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulnCheck
SAP NetWeaver Unrestricted File Upload Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-31324 [CRITICAL] CWE-434 SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
Affected: SAP NetWeaver
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/; https://arcticwolf.com/resources/blog-uk/cve-2025-31324-maximum-severity-file-upload-vulnerability-in-sap-netweaver-exploited-in-the-wild/; https://x.com/gothburz/status/1
VulnCheck
TBK DVR Command Injection Vulnerability
vulncheck·2024·CVSS 6.3
CVE-2024-3721 [MEDIUM] TBK DVR Command Injection Vulnerability
TBK DVR Command Injection Vulnerability
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely.
Affected: TBK TBK DVR
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-21&host_type=src&vulnerability=cve-2024-3721; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-22&host_type=src&vulner
VulnCheck
PHP-CGI OS Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4577 [CRITICAL] CWE-78 PHP-CGI OS Command Injection Vulnerability
PHP-CGI OS Command Injection Vulnerability
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
Affected: PHP Group PHP
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/; https://x.com/Shadowserver/status/1799053497490698548; https://infosec.exchange/@ntkramer/112582375921224782; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2024-4577; https://isc.sans.edu/diary/Attacker%20Probing%20for%20New%20PHP%20Vu
VulnCheck
raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2024·CVSS 5.3
CVE-2024-7120 [MEDIUM] raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.
Affected: raisecom msg2300_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: http
VulnCheck
TP-Link Archer AX-21 Command Injection Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-1389 [HIGH] CWE-77 TP-Link Archer AX-21 Command Injection Vulnerability
TP-Link Archer AX-21 Command Injection Vulnerability
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
Affected: TP-Link Archer AX21
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2023-1389; https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389; https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsen
GHSA
GHSA-qpgr-mp84-gp92: ThinkPHP before 3
ghsa_unreviewed·2022-05-13
CVE-2019-9082 [HIGH] CWE-306 GHSA-qpgr-mp84-gp92: ThinkPHP before 3
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
OSV
cairo vulnerabilities
osv·2022-05-10·CVSS 5.5
CVE-2016-9082 cairo vulnerabilities
cairo vulnerabilities
Gustavo Grieco, Alberto Garcia, Francisco Oca, Suleman Ali, and others
discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-9082, CVE-2017-9814, CVE-2019-6462)
Stephan Bergmann discovered that Cairo incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code.
(CVE-2020-35492)
VulnCheck
OSGeo GeoServer Improper Input Validation
vulncheck·2022·CVSS 7.2
CVE-2022-24847 [HIGH] OSGeo GeoServer Improper Input Validation
OSGeo GeoServer Improper Input Validation
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that t
VulnCheck
VMware Spring Cloud Gateway Code Injection Vulnerability
vulncheck·2022·CVSS 10.0
CVE-2022-22947 [CRITICAL] CWE-94 VMware Spring Cloud Gateway Code Injection Vulnerability
VMware Spring Cloud Gateway Code Injection Vulnerability
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Affected: VMware Spring Cloud Gateway
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https://www.bleepingcomputer.com/news/security/microsoft-sysrv-botnet-targets-windows-linux-servers-with-new-exploits/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.malwarebytes.com/blog/news/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers; https://cybersecurity.att.com/blogs/labs-research/rapidly-evolvin
VulnCheck
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fortiguard.com/psirt/FG-IR-22-398; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-sh
VulnCheck
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 7.2
CVE-2020-8958 [HIGH] gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
Affected: gpononu 1ge_router_wifi_onu_v2801rw_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; htt
VulnCheck
avertx hd838_firmware Observable Discrepancy
vulncheck·2020·CVSS 5.3
CVE-2020-11625 [MEDIUM] avertx hd838_firmware Observable Discrepancy
avertx hd838_firmware Observable Discrepancy
An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. Failed web UI login attempts elicit different responses depending on whether a user account exists. Because the responses indicate whether a submitted username is valid or not, they make it easier to identify legitimate usernames. If a login request is sent to ISAPI/Security/sessionLogin/capabilities using a username that exists, it will return the value of the salt given to that username, even if the password is incorrect. However, if a login request is sent using a username that is not present in the database, it will return an empty salt value. This allows attackers to enumerate legi
VulnCheck
ThinkPHP Remote Code Execution Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-9082 [HIGH] CWE-306 ThinkPHP Remote Code Execution Vulnerability
ThinkPHP Remote Code Execution Vulnerability
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Affected: ThinkPHP ThinkPHP
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://go.catonetworks.com/rs/245-RJK-441/images/Security%20Quarterly%20Report.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://decoded.avast.io/martinchlumecky/dirty
VulnCheck
PHPUnit Command Injection Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-9841 [CRITICAL] CWE-94 PHPUnit Command Injection Vulnerability
PHPUnit Command Injection Vulnerability
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Affected: PHPUnit PHPUnit
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/; https://www.bleepingcomputer.com/news/security/new-cryptomining-malw
CISA
ThinkPHP Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2019-9082 [HIGH] CWE-306 ThinkPHP Remote Code Execution Vulnerability
Vulnerability: ThinkPHP Remote Code Execution Vulnerability
Affected: ThinkPHP ThinkPHP
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-9082
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)
suricata·2022-05-17·CVSS 9.8
CVE-2018-20062 [CRITICAL] ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)
ET EXPLOIT Attempted ThinkPHP any any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036599; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_17;)
Suricata
ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)
suricata·2022-05-17·CVSS 9.8
CVE-2018-20062 [CRITICAL] ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)
ET EXPLOIT Attempted ThinkPHP $HOME_NET any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036598; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_17;)
Exploit-DB
ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
exploitdb·2020-04-16
CVE-2019-9082 ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
ThinkPHP - Multiple PHP Injection RCEs (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ThinkPHP Multiple PHP Injection RCEs',
'Description' => %q{
This module exploits one of two PHP injection vulnerabilities in the
ThinkPHP web framework to execute code as the web user.
Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
vulnerable to a separate vulnerability. The module will automatically
attempt to detect the version of the software.
Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
},
'Author' => [
# Discovery by unknown threaty threat actors
'wvu' # Module
],
'References' => [
# https://www.google.com/search?q=thin
Exploit-DB
zzzphp CMS 1.6.1 - Cross-Site Request Forgery
exploitdb·2019-03-04·CVSS 7.2
CVE-2019-9082 [HIGH] zzzphp CMS 1.6.1 - Cross-Site Request Forgery
zzzphp CMS 1.6.1 - Cross-Site Request Forgery
---
# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1
# Google Dork: intext:"2015-2019 zzcms.com"
# Date: 26/02/2019
# Exploit Author: Yang Chenglong
# Vendor Homepage: http://www.zzzcms.com/index.html
# Software Link: http://115.29.55.18/zzzphp.zip
# Version: 1.6.1
# Tested on: windows/Linux,iis/apache
# CVE : CVE-2019-9082
Due to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation.
Exploit:
history.pushState('', '', '/')
document.forms[0].submit();
Save the codes above as html file and host it on a web server. Send the link to the administrator of the website and
Nuclei
ThinkPHP < 3.2.4 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2019-9082 [HIGH] ThinkPHP < 3.2.4 - Remote Code Execution
ThinkPHP < 3.2.4 - Remote Code Execution
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality.
Template:
id: CVE-2019-9082
info:
name: ThinkPHP < 3.2.4 - Remote Code Execution
author: 0xanis
severity: high
description: |
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via the s parameter in index.php through the invokefunction functionality.
impact: |
Attackers can execute arbitrary system commands true the server without authentication, potentially leading to full system compromise.
remediation: |
Update to ThinkPHP 3.2.4 or later, or apply vendor patches.
reference:
- https://github.com/xyl-tools
Metasploit
ThinkPHP Multiple PHP Injection RCEs
metasploit
ThinkPHP Multiple PHP Injection RCEs
ThinkPHP Multiple PHP Injection RCEs
This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
Greynoiseio
PHP Cryptomining Campaign: October/November 2025
blogs_greynoiseio·2025-11-04·CVSS 9.8
[CRITICAL] PHP Cryptomining Campaign: October/November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
blogs_bleepingcomputer·2025-04-09
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
## Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
## Bill Toulas
A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint.
Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption.
The campaign was discovered by F5 Labs researchers , who reports that the malicious activity culminated between March 13 and 25, 2025. The traffic and behavioral patterns strongly suggest that it was carried out by a single threat actor.
## Campaign over
Bleepingcomputer
Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
blogs_bleepingcomputer·2024-06-06·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
## Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
## Bill Toulas
Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.
The web shell enables further exploitation of the breached endpoints, such as enlisting them as part of the attackers' infrastructure to evade detection in subsequent operations.
The first signs of this activity date back to October 2023, but according to Akamai analysts monitoring it, the malicious activity has recently expanded and intensified.
## Targeting old vulnerabilities
ThinkPHP is an open-source web application development framework that is particularly popular in China.
CVE-2018-20062 , fixed in December 2018, is an issue discovered in NoneCM
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
[CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are reported every year, but not all are used by threat actors in real-world attacks. There are many reasons for this: a proof of concept (PoC) may not be available for attackers to weaponize, it may be too difficult to exploit the vulnerability, there may be a lack of accessible vulnerable software on the internet, or attackers may simply deem a vulnerability not worth exploiting due to low impact. Real-world defenders need real-world data on which vulnerabilities attackers are choosing to exploit – and where to focus protections.
In the 2022 Unit 42 Network Threat Trends Research Report, we’ve used data captured by the Palo Alto Networks Advanced Threat Prevention security service on Next-Generation Firewall and Prisma SASE from
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Checkpoint
8th July – Threat Intelligence Bulletin
blogs_checkpoint·2019-07-08·CVSS 7.8
CVE-2018-7600 [HIGH] 8th July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 8th July 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Japanese-American international convenience store 7/11 has shut down its new mobile payment app after threat actors stole $500,000 from its users. The attackers were able to perform unwanted charges on customers’ accounts due to a flaw in the password reset function, which allows anyone to reset the password for other cu
http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlhttps://github.com/xiayulei/open_source_bms/issues/33http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.htmlhttps://github.com/xiayulei/open_source_bms/issues/33https://www.exploit-db.com/exploits/46488/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9082
2019-02-24
Published
2021-11-03
Added to CISA KEV
Exploited in the wild