Cyber Security News

Widespread Exploitation of ThinkPHP and OwnCloud Flaws by Cybercriminals

 GreyNoise has detected a significant surge in exploitation activity targeting two vulnerabilities — CVE-2022-47945 and CVE-2023-49103.

The alarming uptick in attacks underscores critical issues in vulnerability management and patch prioritization.

Cybercriminals are actively scanning and exploiting both vulnerabilities, though they are being perceived differently in terms of risk.

GreyNoise observed a substantial increase in exploitation attempts over the past 10 days, sparking urgent calls for action from the security community.

  • CVE-2022-47945 (ThinkPHP Local File Inclusion): This vulnerability allows local file inclusion via the lang parameter in ThinkPHP versions before 6.0.14 when language packs are enabled. While it is not listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog and has a low Exploit Prediction Scoring System (EPSS) score of only 7%, GreyNoise identified 572 unique IPs actively exploiting it. Historically, ThinkPHP vulnerabilities have been associated with Chinese threat actors.
  • CVE-2023-49103 (ownCloud GraphAPI Information Disclosure): An information disclosure flaw in ownCloud/graphapi versions 0.2.x prior to 0.2.1 and 0.3.x prior to 0.3.1, this vulnerability has been noted by government agencies like CISA, the NSA, and the FBI as one of the most exploited in 2023. GreyNoise has detected activity from 484 unique IPs targeting this vulnerability, confirming its designation as a high-value target.

Security Challenges and Key Takeaways

The contrasting treatment of these two vulnerabilities highlights a growing issue in vulnerability management.

CVE-2022-47945, though actively exploited, has not received the same level of attention due to its absence from KEV and its low EPSS score.

Meanwhile, CVE-2023-49103 continues to underline the importance of staying vigilant against already-flagged threats.

Key Lessons for Organizations:

  1. Real-world risk does not always align with KEV or EPSS scores, as demonstrated by CVE-2022-47945.
  2. Real-time attack intelligence is vital to understanding active exploitation trends.
  3. Over-reliance on static vulnerability lists can lead to gaps in threat mitigation.

To safeguard against these threats, security teams should:

  • Prioritize patching: Upgrade ThinkPHP to version 6.0.14+ and ownCloud GraphAPI to 0.3.1+ immediately.
  • Monitor and block malicious IPs: Leverage real-time threat intelligence to counter active exploitation efforts.
  • Restrict exposure: Limit access to vulnerable services to reduce attack surfaces.

This incident serves as a stark reminder of the challenges in fortifying cybersecurity perimeters.  Real-time exploitation intelligence must become a cornerstone of enterprise risk management strategies.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free



Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Google’s NotebookLM Introduces Voice Summaries in Over 50 Languages

Google has significantly expanded the capabilities of NotebookLM, its AI-powered research tool, by introducing Audio…

5 minutes ago

Android Security Update -A Critical RCE Vulnerability Actively Exploited in the Wild

Google has released critical security patches for Android devices to address 57 vulnerabilities across multiple…

17 minutes ago

Hackers Exploit Fake Chrome Error Pages to Deploy Malicious Scripts on Windows Users

Hackers are leveraging a sophisticated social engineering technique dubbed "ClickFix" to trick Windows users into…

1 hour ago

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry of…

2 hours ago

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat actor…

2 hours ago

Samsung MagicINFO 9 Server Vulnerability Actively Exploited in the Wild

A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active exploit,…

2 hours ago