Full Report
Increased hacker activity has been observed in attempts to compromise poorly maintained devices that are vulnerable to older security issues from 2022 and 2023. [...]
Analysis Summary
# Vulnerability: Surge in Exploitation of Old ThinkPHP and ownCloud Flaws
## CVE Details
- CVE ID: CVE-2022-47945 (ThinkPHP) and CVE-2023-49103 (ownCloud)
- CVSS Score: N/A (For CVE-2022-47945, no specific score mentioned, but high activity noted. For CVE-2023-49103, no specific score mentioned, but listed as one of the most exploited in 2023.)
- CWE: N/A (Specific CWEs not detailed in the snippet)
## Affected Systems
- Products: ThinkPHP, ownCloud GraphAPI
- Versions:
- ThinkPHP: Versions prior to 6.0.14
- ownCloud GraphAPI: Versions prior to 0.3.1
- Configurations: Unpatched instances of both software are affected.
## Vulnerability Description
**CVE-2022-47945 (ThinkPHP):** This vulnerability has been documented, and threat actors have been actively leveraging it since October 2023 to deploy webshells (e.g., Dama Webshell).
**CVE-2023-49103 (ownCloud):** This flaw arises from a dependency issue in the ownCloud GraphAPI component. It involves a third-party library that exposes PHP environment details through a URL, potentially allowing attackers to steal sensitive information.
## Exploitation
- Status:
- CVE-2022-47945: Under high-volume exploitation currently, with activity noted from 572 unique IPs (as per GreyNoise). Exploited in the wild since October 2023.
- CVE-2023-49103: Actively exploited, listed among the 15 most exploited vulnerabilities of 2023 by FBI/CISA/NSA. Activity noted from 484 unique IPs recently.
- Complexity: Not explicitly stated, but widespread exploitation suggests low-to-medium complexity for initial access.
- Attack Vector: Network (Implied, as these are internet-facing applications)
## Impact
- Confidentiality: High (Due to information disclosure and ability to deploy webshells)
- Integrity: High (Ability to execute code via webshells)
- Availability: Medium/High (Potential for system compromise leading to shutdowns or service disruption)
## Remediation
### Patches
- **ThinkPHP:** Upgrade to version 6.0.14 or later.
- **ownCloud GraphAPI:** Upgrade to version 0.3.1 and newer.
### Workarounds
- Take potentially vulnerable instances offline.
- Place vulnerable instances behind a firewall to reduce the attack surface.
## Detection
- **Indicators of Compromise:** Presence of known webshells (like Dama Webshell) on ThinkPHP servers.
- **Detection Methods and Tools:** Monitoring network traffic for patterns associated with exploitation attempts targeting these applications. Use of threat intelligence platforms like GreyNoise to track exploitation volume.
## References
- Vendor Advisories: Not explicitly listed with links, but implied by the necessary upgrades.
- Relevant Links:
- bleepingcomputer com/news/security/surge-in-attacks-exploiting-old-thinkphp-and-owncloud-flaws/
- greynoise io/blog/new-exploitation-surge-attackers-target-thinkphp-and-owncloud-flaws-at-scale (Defanged: greynoise dot io/blog/new-exploitation-surge-attackers-target-thinkphp-and-owncloud-flaws-at-scale)