CVE-2022-47945
published 2022-12-23CVE-2022-47945: ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.50%
96.4th percentile
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thinkphp | thinkphp | < 6.0.14 | 6.0.14 |
| topthink | framework | >= 0 < 6.0.14 | 6.0.14 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/?lang=../../thinkphp/base
url{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug
cookiethink_lang
- →HTTP GET requests with the `lang` parameter containing directory traversal sequences (e.g., `../../`) targeting ThinkPHP endpoints are indicative of CVE-2022-47945 LFI exploitation attempts. ↗
- →HTTP 500 responses containing both 'Call Stack' and 'class="trace' in the body indicate successful triggering of the ThinkPHP LFI vulnerability.
- →Monitor for the `think_lang` response header or cookie, which identifies ThinkPHP applications and can be used to fingerprint targets for CVE-2022-47945 exploitation.
- →GreyNoise observed 572 unique IPs attempting to exploit CVE-2022-47945; monitor for high-volume scanning from cloud provider IP ranges (Cloudflare, DigitalOcean, Google, Contabo) targeting ThinkPHP lang parameter. ↗
- →Exploitation attempts targeting CVE-2022-47945 are part of a broader cryptomining campaign; post-exploitation activity should be monitored for cryptominer deployment and outbound connections to mining pools. ↗
- ·CVE-2022-47945 is only exploitable when the language pack feature is explicitly enabled in ThinkPHP configuration (lang_switch_on=true). Applications with this feature disabled are not vulnerable. ↗
- ·Despite a high EPSS score (90.34%, 99.6th percentile), CVE-2022-47945 has a low EPSS rating of 7% in some scoring systems and is NOT listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which may cause it to be deprioritized in patch management workflows. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ThinkPHP Framework vulnerable to remote code execution
ghsa·2022-12-23
CVE-2022-47945 [CRITICAL] CWE-22 ThinkPHP Framework vulnerable to remote code execution
ThinkPHP Framework vulnerable to remote code execution
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (`lang_switch_on=true`). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including `pearcmd.php`.
OSV
ThinkPHP Framework vulnerable to remote code execution
osv·2022-12-23
CVE-2022-47945 [CRITICAL] ThinkPHP Framework vulnerable to remote code execution
ThinkPHP Framework vulnerable to remote code execution
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (`lang_switch_on=true`). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including `pearcmd.php`.
VulnCheck
thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-47945 [CRITICAL] thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Affected: thinkphp ThinkPHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-11&host_type=src&vulnerability=cve-2022-47945; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
No detection rules found.
Nuclei
Thinkphp Lang - Local File Inclusion
nuclei·CVSS 9.8
CVE-2022-47945 [CRITICAL] Thinkphp Lang - Local File Inclusion
Thinkphp Lang - Local File Inclusion
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Template:
id: CVE-2022-47945
info:
name: Thinkphp Lang - Local File Inclusion
author: kagamigawa
severity: critical
description: |
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
impact: |
This vulnerability can lead
Greynoiseio
PHP Cryptomining Campaign: October/November 2025
blogs_greynoiseio·2025-11-04·CVSS 9.8
[CRITICAL] PHP Cryptomining Campaign: October/November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
#### Table of Contents
- PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
- PHP Exploitation Trends and Noteworthy CVEs
- The Dangers of Exposed Secrets and Credentials
- IOT Devices Remain a Weak Link in Security
- MVPower DVR Shell Unauthenticated Command Execution
- Cloud Vulnerabilities: CVE-2022-22947
- Threat Actors Exploit Cloud Resources for Reconnaissance
- 5 Best Practices to Reduce Exploitation Risk
- Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, pr
Qualys
What Security Teams Need to Know as PHP and IoT Exploits Surge
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] What Security Teams Need to Know as PHP and IoT Exploits Surge
## Table of Contents
PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
PHP Exploitation Trends and Noteworthy CVEs
The Dangers of Exposed Secrets and Credentials
IOT Devices Remain a Weak Link in Security
MVPower DVR Shell Unauthenticated Command Execution
Cloud Vulnerabilities: CVE-2022-22947
Threat Actors Exploit Cloud Resources for Reconnaissance
5 Best Practices to Reduce Exploitation Risk
Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, primarily driv
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Bleepingcomputer
Surge in attacks exploiting old ThinkPHP and ownCloud flaws
blogs_bleepingcomputer·2025-02-12·CVSS 9.8
CVE-2022-47945 [CRITICAL] Surge in attacks exploiting old ThinkPHP and ownCloud flaws
## Surge in attacks exploiting old ThinkPHP and ownCloud flaws
## Bill Toulas
Increased hacker activity has been observed in attempts to compromise poorly maintained devices that are vulnerable to older security issues from 2022 and 2023.
Threat monitoring platform GreyNoise is reporting spikes in actors leveraging CVE-2022-47945 and CVE-2023-49103 that affect ThinkPHP Framework and the open-source ownCloud solution for file sharing and syncing.
Both vulnerabilities have critical severity and can be exploited to execute arbitrary operating system commands or to obtain sensitive data (e.g. admin password, mail server credentials, license key).
The first vulnerability is a local file inclusion (LFI) issue in the language parameter of ThinkPHP Framework before 6.0.14. An unauthenticated
Greynoiseio
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale
blogs_greynoiseio·2025-02-11·CVSS 9.8
[CRITICAL] New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099https://github.com/top-think/framework/compare/v6.0.13...v6.0.14https://tttang.com/archive/1865/https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099https://github.com/top-think/framework/compare/v6.0.13...v6.0.14https://tttang.com/archive/1865/
2022-12-23
Published
Exploited in the wild