Rising Attacks Targeting Vulnerabilities in ThinkPHP and ownCloud

Recent months have witnessed a surge in hacker activity targeting inadequately maintained devices vulnerable to older security flaws from 2022 and 2023.

According to the threat monitoring platform GreyNoise, there has been a marked increase in attempts by cybercriminals to exploit CVE-2022-47945 and CVE-2023-49103, which affect the ThinkPHP Framework and the open-source file-sharing solution ownCloud.

Both vulnerabilities carry critical severity ratings and can be exploited to execute arbitrary operating system commands or to extract sensitive data, such as administrator credentials and mail server information.

The first, CVE-2022-47945, involves a local file inclusion (LFI) problem in the ThinkPHP Framework, impacting versions prior to 6.0.14. An attacker can remotely exploit this vulnerability in environments where the language pack feature is enabled.

Akamai reported that Chinese threat actors have been actively exploiting this flaw since October 2023 for limited-scope operations. Recently, GreyNoise noted that 572 unique IP addresses have attempted to exploit CVE-2022-47945, with activity on the rise.

The second vulnerability, CVE-2023-49103, affects the widely used ownCloud software due to its reliance on a vulnerable third-party library. After its disclosure in November 2023, hackers quickly began exploiting this flaw to obtain sensitive information from unpatched systems.

Despite over two years since the vendor’s last security update, many instances of ownCloud remain unpatched and vulnerable. GreyNoise has recently noted an uptick in attacks originating from 484 unique IPs targeting this flaw.

To mitigate these risks, users are strongly advised to upgrade to ThinkPHP version 6.0.14 or later, and ownCloud GraphAPI to version 0.3.1 or newer. Vulnerable systems should also be taken offline or secured behind a firewall to minimize exposure.