CVE-2018-25270

CRITICAL EXPLOITED

ThinkPHP 5.0.23 Remote Code Execution via invokefunction

Title source: cna

Exploitation Summary

CVE-2018-25270 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including VulnSpy.

AI-analyzed exploit summary This exploit leverages a method invocation vulnerability in ThinkPHP 5.x to execute arbitrary commands via the `call_user_func_array` function. The crafted URL passes a system command (`php -r 'phpinfo();'`) through the `vars` parameter, demonstrating remote code execution.

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

Exploits (1)

exploitdb WORKING POC

by VulnSpy · textwebappsphp

https://www.exploit-db.com/exploits/45978

View Code ZIP pw:eip

This exploit leverages a method invocation vulnerability in ThinkPHP 5.x to execute arbitrary commands via the `call_user_func_array` function. The crafted URL passes a system command (`php -r 'phpinfo();'`) through the `vars` parameter, demonstrating remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ThinkPHP 5.x < v5.0.23, v5.1.31

No auth needed

Prerequisites: exposed ThinkPHP application with vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45978

https://www.exploit-db.com/exploits/45978

Product product

Official Product Homepage

https://thinkphp.cn

Product product

Product Reference

https://github.com/top-think/framework/

Third Party Advisory third-party-advisory

VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction

https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction

Scores

CVSS v3 9.8

EPSS 0.0089

EPSS Percentile 54.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-06-04

CWE

CWE-639

Status published

Products (4)

thinkphp/thinkphp 5.1.31

thinkphp/thinkphp 5.0.0 - 5.0.23

Thinkphp/ThinkPHP 5.0.23

Thinkphp/ThinkPHP 5.1.31

Published Apr 22, 2026

Tracked Since Apr 22, 2026