cbcvebase.
CVE-2022-47945
published 2022-12-23

CVE-2022-47945: ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.50%
96.4th percentile
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
thinkphpthinkphp< 6.0.146.0.14
topthinkframework>= 0 < 6.0.146.0.14

Detection & IOCsextracted from sources · hover to see the quote

path/vendor/pear/pearcmd.php
path/usr/local/lib/php/pearcmd
filenamepearcmd.php
url{{BaseURL}}/?lang=../../thinkphp/base
url{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug
cookiethink_lang
  • HTTP GET requests with the `lang` parameter containing directory traversal sequences (e.g., `../../`) targeting ThinkPHP endpoints are indicative of CVE-2022-47945 LFI exploitation attempts.
  • HTTP 500 responses containing both 'Call Stack' and 'class="trace' in the body indicate successful triggering of the ThinkPHP LFI vulnerability.
  • Monitor for the `think_lang` response header or cookie, which identifies ThinkPHP applications and can be used to fingerprint targets for CVE-2022-47945 exploitation.
  • GreyNoise observed 572 unique IPs attempting to exploit CVE-2022-47945; monitor for high-volume scanning from cloud provider IP ranges (Cloudflare, DigitalOcean, Google, Contabo) targeting ThinkPHP lang parameter.
  • Exploitation attempts targeting CVE-2022-47945 are part of a broader cryptomining campaign; post-exploitation activity should be monitored for cryptominer deployment and outbound connections to mining pools.
  • ·CVE-2022-47945 is only exploitable when the language pack feature is explicitly enabled in ThinkPHP configuration (lang_switch_on=true). Applications with this feature disabled are not vulnerable.
  • ·Despite a high EPSS score (90.34%, 99.6th percentile), CVE-2022-47945 has a low EPSS rating of 7% in some scoring systems and is NOT listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which may cause it to be deprioritized in patch management workflows.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.