Widespread Exploitation of ThinkPHP and OwnCloud Flaws by Cybercriminals

 GreyNoise has detected a significant surge in exploitation activity targeting two vulnerabilities — CVE-2022-47945 and CVE-2023-49103.

The alarming uptick in attacks underscores critical issues in vulnerability management and patch prioritization.

Cybercriminals are actively scanning and exploiting both vulnerabilities, though they are being perceived differently in terms of risk.

GreyNoise observed a substantial increase in exploitation attempts over the past 10 days, sparking urgent calls for action from the security community.

• CVE-2022-47945 (ThinkPHP Local File Inclusion): This vulnerability allows local file inclusion via the lang parameter in ThinkPHP versions before 6.0.14 when language packs are enabled. While it is not listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog and has a low Exploit Prediction Scoring System (EPSS) score of only 7%, GreyNoise identified 572 unique IPs actively exploiting it. Historically, ThinkPHP vulnerabilities have been associated with Chinese threat actors.
• CVE-2023-49103 (ownCloud GraphAPI Information Disclosure): An information disclosure flaw in ownCloud/graphapi versions 0.2.x prior to 0.2.1 and 0.3.x prior to 0.3.1, this vulnerability has been noted by government agencies like CISA, the NSA, and the FBI as one of the most exploited in 2023. GreyNoise has detected activity from 484 unique IPs targeting this vulnerability, confirming its designation as a high-value target.

Security Challenges and Key Takeaways

The contrasting treatment of these two vulnerabilities highlights a growing issue in vulnerability management.

CVE-2022-47945, though actively exploited, has not received the same level of attention due to its absence from KEV and its low EPSS score.

Meanwhile, CVE-2023-49103 continues to underline the importance of staying vigilant against already-flagged threats.

Key Lessons for Organizations:

1. Real-world risk does not always align with KEV or EPSS scores, as demonstrated by CVE-2022-47945.
2. Real-time attack intelligence is vital to understanding active exploitation trends.
3. Over-reliance on static vulnerability lists can lead to gaps in threat mitigation.

To safeguard against these threats, security teams should:

• Prioritize patching: Upgrade ThinkPHP to version 6.0.14+ and ownCloud GraphAPI to 0.3.1+ immediately.
• Monitor and block malicious IPs: Leverage real-time threat intelligence to counter active exploitation efforts.
• Restrict exposure: Limit access to vulnerable services to reduce attack surfaces.

This incident serves as a stark reminder of the challenges in fortifying cybersecurity perimeters.  Real-time exploitation intelligence must become a cornerstone of enterprise risk management strategies.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free