CVE-2018-20062

CRITICAL KEV NUCLEI

NoneCms V1.3 - Remote Code Execution via Filter Parameter

Title source: llm

Exploitation Summary

CVE-2018-20062 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 5 public exploits from researchers including NS-Sp4ce, shenhui35, yilin1203, including a Metasploit module exploits/unix/webapp/thinkphp_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script designed to scan for and detect the ThinkPHP 5.0/5.1 RCE vulnerability (CVE-2018-20062) by sending specific payloads to target URLs and checking for PHP info disclosure. It uses multithreading for efficiency and includes basic error handling.

Description

An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.

Exploits (5)

nomisec SCANNER 6 stars

by NS-Sp4ce · remote

https://github.com/NS-Sp4ce/thinkphp5.XRce

View Code ZIP pw:eip

This repository contains a Python script designed to scan for and detect the ThinkPHP 5.0/5.1 RCE vulnerability (CVE-2018-20062) by sending specific payloads to target URLs and checking for PHP info disclosure. It uses multithreading for efficiency and includes basic error handling.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ThinkPHP 5.0.x <= 5.0.23, 5.1.x < 5.1.31

No auth needed

Prerequisites: Target URLs listed in a file named 'url.txt' · Python environment with required libraries (requests, BeautifulSoup)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by shenhui35 · poc

https://github.com/shenhui35/RedArrow

View Code ZIP pw:eip

This repository contains a Python-based exploit tool for CVE-2018-20062, targeting ThinkPHP 5.0.23 RCE via the `?s=captcha` parameter. It includes both single-command execution and an interactive Godzilla-like shell with AES encryption.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ThinkPHP 5.0.23

No auth needed

Prerequisites: Target with ThinkPHP 5.0.23 and accessible `?s=captcha` endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by yilin1203 · remote

https://github.com/yilin1203/CVE-2018-20062

View Code ZIP pw:eip

This PoC exploits CVE-2018-20062, a remote code execution vulnerability in ThinkPHP. It leverages the `captcha` endpoint to inject malicious payloads via the `_method` and `filter[]` parameters, allowing arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ThinkPHP (versions affected by CVE-2018-20062)

No auth needed

Prerequisites: Target must be running a vulnerable version of ThinkPHP · Network access to the target's `index.php?s=captcha` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

rubyremotelinux

https://www.exploit-db.com/exploits/48333

View Code ZIP pw:eip

This Metasploit module exploits PHP injection vulnerabilities in ThinkPHP versions up to 5.0.23, allowing remote code execution (RCE) via crafted HTTP requests. It includes version detection and two distinct exploit methods for different ThinkPHP versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ThinkPHP <= 5.0.23

No auth needed

Prerequisites: Network access to the target web application · ThinkPHP application running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/thinkphp_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits PHP injection vulnerabilities in ThinkPHP versions up to 5.0.23 to achieve remote code execution. It includes version detection and supports both direct command execution and staged payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ThinkPHP <= 5.0.23

No auth needed

Prerequisites: Network access to the target web application · ThinkPHP application running a vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ThinkPHP 5.0.23 - Remote Code Execution

CRITICALVERIFIEDby dr_set

FOFA: app="ThinkPHP"

References (3)

Core 3

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20062

Exploit, Third Party Advisory x_refsource_misc

https://github.com/nangge/noneCms/issues/21

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9431

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2019-06-12

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2018-12637

Status published

Products (1)

5none/nonecms 1.3.0

Published Dec 11, 2018

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026