可用于部署多种恶意软件的 ThinkPHP 远程代码执行漏洞 (CVE-2018-20062)
A remote code execution bug in the Chinese open source framework ThinkPHP is being actively used by threat actors to implant a variety of malware, primarily targeting Internet of Things (IoT) devices.
背景
Over the last few months, attackers have been leveraging CVE-2018-20062, a remote code execution (RCE) vulnerability in Chinese open source PHP framework ThinkPHP, to implant a variety of malware. While the vulnerability was patched on December 9, 2018, a proof of concept (PoC) was published to ExploitDB on December 11.
分析
Shortly after the publication of the PoC, researchers observed an uptick in attackers scanning for vulnerable versions of ThinkPHP. On December 20, Trend Micro published a blog about a new IoT botnet called Miori that spreads using CVE-2018-20062. According to Trend Micro researchers, additional IoT malware known as IZ1H9 and APEP began to utilize the same vulnerability as an infection vector.
In January 2019, the Akamai security team not only observed this vulnerability being used in attacks to implant IoT malware, but also discovered it being used to spread cryptocurrency miners and Windows malware. Trend Micro posted another blog on January 25, detailing the usage of this vulnerability by IoT malware known as Hakai and Yowai.
On February 4, researchers at Check Point named ThinkPHP as the initial infection vector in attacks targeting systems to implant a backdoor trojan known as SpeakUp.
Despite being patched in December 2018, CVE-2018-20062 has become a popular vulnerability for attackers looking to implant IoT malware onto systems. The vulnerability has also been observed in the propagation of other types of malware like cryptocurrency miners and trojans. We expect this to remain a popular exploit with attackers as long as systems remain unpatched.
解决方案
This vulnerability was patched in ThinkPHP versions 5.0.23 and 5.1.31. Users are strongly encouraged to upgrade to a newer version of the framework.
识别受影响的系统
A list of Nessus plugins to identify these vulnerabilities can be found here.
获取更多信息
- National Vulnerability Database: CVE-2018-20062
- PoC: ThinkPHP 5.x < v5.0.23,v5.1.31 Remote Code Execution
- With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
- ThinkPHP Exploit Actively Exploited In The Wild
- ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai
- SpeakUp: A New Undetected Backdoor Linux Trojan
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.
Satnam Narang
安全响应高级员工研究工程师
Satnam 于 2018 年入职 Tenable。他有 15 年以上的行业经验(M86 Security 和 Symantec)。 他为反网络钓鱼工作组做出了贡献,助力国家网络安全联盟开发了一个社交网络指南,在 Twitter 上发现了一个巨大的垃圾邮件僵尸网络,并且是在 Tinder 上报告垃圾邮件僵尸网络第一人。 他还参加过 NBC Nightly News、Entertainment Tonight、Bloomberg West 和 Why Oh Why 的节目。
工作外兴趣:Satnam 写写诗,创作嘻哈音乐。他喜欢观看实况音乐,花时间教育三个侄女,享受足球和篮球带来的快乐,观看和收听宝莱坞电影和音乐以及 Grogu (Baby Yoda)。
相关文章
Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
An analysis of Tenable telemetry data shows that the vulnerabilities being exploited by Chinese state-sponsored actors remain unremediated on a considerable number of devices, posing major risk to the organizations that have yet to successfully address these flaws.
Microsoft’s August 2025 Patch Tuesday Addresses 107 CVEs (CVE-2025-53779)
Microsoft addresses 107 CVEs, including one zero-day vulnerability that was publicly disclosed.
From Vulnerability to Visibility: What the SharePoint Attacks Reveal About the Need for Proactive Cybersecurity
The recent exploitation of Microsoft SharePoint vulnerabilities highlights a critical gap in traditional, reactive cybersecurity strategies. Learn how a proactive exposure management approach empowers federal agencies to reduce risk, streamline operations and stay secure.
- Vulnerability Management