Update: 4/26 FortiEDR KB article “Threat Coverage: FortiEDR mitigates the risk of post-exploitation activity associated with exploitation of zero day vulnerabilities and unknown malware” added to APPENDIX section. The “What is the Status of Protection?” section has been updated with additional coverage information.FortiGuard Labs is observing active exploitation of several ThinkPHP remote code execution vulnerabilities (CVE-2019-9082 and CVE-2018-20062). Successful exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the affected system. Both vulnerabilities are on CISA’s Known Exploited Vulnerabilities (KEV) catalog.Why is this Significant?This is significant because active exploitation of CVE-2019-9082 and CVE-2018-20062 is being observed. Also, Proof-of-Concept (PoC) code is publicly available for both vulnerabilities. They are on CISA’s Known Exploited Vulnerabilities (KEV) catalog. As such, patches should be applied as soon as possible.What is CVE-2019-9082?CVE-2019-9082 is a PHP injection vulnerability that affects ThinkPHP prior to version 3.2.4. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 8.8.What is CVE-2018-20062?CVE-2018-20062 is a PHP injection vulnerability that affects ThinkPHP prior to version 5.0.23. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has a CVSS base score of 9.8.Is Patch Available for CVE-2019-9082 and CVE-2018-20062?Yes, patch is available for both CVE-2019-9082 and CVE-2018-20062.What is the Status of Protection?FortiGuard Labs has the following IPS signatures in place for CVE-2019-9082 and CVE-2018-20062:ThinkPHP.Controller.Parameter.Remote.Code.ExecutionFortiGuard Labs FortiEDR product will provide post exploitation protection against known ThinkPHP vulnerabilities.
