ThinkPHP is an open-source framework for web application development. It is licenced under the Apache2 licence. Controller names are wrongly processed by the framework in ThinkPHP 5.0.22, causing the attacker to initiate any framework method, Because the root controllers are not subject to any specific filtering resulting in an RCE (Remote Code Execution) vulnerability.Threat actors are aggressively using ThinkPHP to infect a wide range of malware, primarily aimed at Internet of Things (IoT) devices.
In the ThinkPHP framework, a specifically designed value in the filter HTTP parameter can lead to arbitrary code execution.
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller))
{
throw new HttpException(404, 'controller not exists:' . $controller);
}