CRITICAL🇵🇱 Wersja polska

CVE-2025-50707

CVSS 9.8v3.1pub. 2025-08-05upd. 2025-08-14

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component

🤖 AI Analysis
How it works

The attacker sends a crafted HTTP request to the index.php component of an application based on ThinkPHP 3.2.5. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and indicates the possibility of code injection and execution on the server side. The exploit requires no authentication, user interaction, or special network conditions, making it trivial to execute remotely.

Impact

Attackers can gain full control of the server — read, modify or delete data, execute arbitrary system commands, and potentially gain access to other resources on the internal network.

Mitigation & patch

Apply patches available from the vendor according to references. Due to lack of active support for the ThinkPHP 3.x branch, urgent migration to a currently supported version of the framework is recommended.

Who is affected

ThinkPHP version 3.2.5 (thinkphp3)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Thinkphp

    APP
    Thinkphp
    3.2.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2018-25270CRITICAL9.3PL ✓ten sam produkt

ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)

CVE-2025-63888CRITICAL9.8PL ✓ten sam produkt

RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24

CVE-2025-50706CRITICAL9.8PL ✓ten sam produkt

RCE w ThinkPHP 5.1 przez funkcję routecheck

CVE-2024-48112CRITICAL9.8PL ✓ten sam produkt

ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)

CVE-2024-44902CRITICAL9.8PL ✓ten sam produkt

Krytyczna podatność deserialization RCE w ThinkPHP v6.1.3–v8.0.4