Increased active exploitation of years-old ThinkPHP, ownCloud flaws
Take action: If you are using ThinkPHP Framework or ownCloud and haven't patched them for a year, its time to do it IMMEDIATELY. Hackers don't care if it's a hassle, or that it's an old service. They will happily exploit these old flaws to hurt you.
Learn More
Security researchers have identified a significant surge in exploitation attempts targeting two critical vulnerabilities from 2022 and 2023, affecting ThinkPHP Framework and ownCloud respectively. The threat monitoring platform GreyNoise has documented this increased malicious activity.
The vulnerabilities under active exploitation are:
- CVE-2022-47945 (CVSS score 9.8) - Local File Inclusion vulnerability in ThinkPHP Framework which allows unauthenticated remote attackers to execute arbitrary operating system commands when the language pack feature is enabled. This vulnerability affects versions prior to 6.0.14.
- CVE-2023-49103 (CVSS score 7.5) - ownCloud GraphAPI vulnerability which exposes PHP environment details through a URL, allowing attackers to obtain sensitive information including administrator passwords, mail server credentials, and license keys.
For the ThinkPHP vulnerability, GreyNoise has detected 572 unique IP addresses attempting to exploit the flaw, Akamai previously reported that Chinese threat actors have been actively exploiting this vulnerability since October 2023 in targeted operations.
The ownCloud vulnerability, which was listed by the FBI, CISA, and NSA among the 15 most exploited vulnerabilities of 2023, continues to be actively targeted. GreyNoise has identified 484 unique IP addresses involved in exploitation attempts. 023, and patches have been available for over two years.
Organizations are advised to implement the following measures:
- Upgrade ThinkPHP installations to version 6.0.14 or later
- Update ownCloud GraphAPI to version 0.3.1 or newer
- Remove vulnerable instances from public internet access
