Hackers Exploiting ThinkPHP & ownCloud Vulnerabilities at Large Scale

A recent surge in exploitation activity has been observed targeting two critical vulnerabilities, CVE-2022-47945 in ThinkPHP and CVE-2023-49103 in ownCloud.

These attacks highlight the persistent threat posed by unpatched systems and the challenges organizations face in prioritizing vulnerability management.

CVE-2022-47945 (ThinkPHP Local File Inclusion)

A local file inclusion (LFI) vulnerability in ThinkPHP versions prior to 6.0.14. Exploited via the lang parameter when language packs are enabled, this flaw allows unauthenticated attackers to execute arbitrary operating system commands.

GreyNoise observed 572 unique IPs attempting to exploit this vulnerability, with activity increasing significantly over the last 10 days. 

Despite its critical nature, this vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog and has a low Exploit Prediction Scoring System (EPSS) score of 7%.

Notably, ThinkPHP vulnerabilities have previously been exploited by Chinese threat actors in targeted campaigns.

CVE-2023-49103 (ownCloud GraphAPI Information Disclosure)

This information disclosure vulnerability affects ownCloud/graphapi versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. 

It arises from a dependency on a third-party library exposing sensitive PHP environment details via the phpinfo function, including admin credentials, mail server details, and license keys.

Researchers identified 484 unique IPs targeting this flaw, which has been actively exploited since its disclosure in November 2023 and was listed among the top exploited vulnerabilities of 2023 by CISA, NSA, and FBI.

Even disabling the graphapi app does not fully mitigate the risk, as sensitive configuration details remain exposed.

Mitigation Recommendations

To safeguard against these escalating threats, organizations should:

• Upgrade ThinkPHP to version 6.0.14 or later.
• Update ownCloud GraphAPI to version 0.3.1 or newer.
• Leverage real-time threat intelligence platforms like GreyNoise to identify and block known attacker IPs.

• Limit access to affected services by placing them behind firewalls or restricting public exposure.
• For ownCloud users, remove vulnerable files like /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and change sensitive credentials immediately.

As attackers continue to exploit overlooked vulnerabilities like CVE-2022-47945 while persisting with high-value targets like CVE-2023-49103, it becomes evident that traditional patch management approaches must evolve to incorporate dynamic threat intelligence.

Organizations must act swiftly to address these vulnerabilities and reassess their vulnerability management strategies to stay ahead of emerging threats.

PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar