Threats / ThinkPHP / CVE-2019-9082
CVE-2019-9082
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
ThinkPHP vulnerability
ThinkPHP contains a remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary system commands through improper function invocation and insufficient access controls.
Verdict
Today item — known-exploited.
An unauthenticated remote attacker can exploit insufficient access validation and unsafe function invocation in ThinkPHP to execute arbitrary code with application privileges, leading to complete system compromise.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
75 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03).
Probability (EPSS)
EPSS 0.97419 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: ThinkPHP, ThinkPHP. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-306 Missing Authentication, CWE-94 Code Injection — weakness family: Authentication, Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious HTTP request targeting the public endpoint with parameters that invoke call_user_func_array to execute system commands.
Business
Attackers gain immediate code execution capability without authentication, enabling data theft, malware deployment, or lateral movement.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I bypass access controls by leveraging the framework's routing mechanism to reach internal functions that should not be publicly callable.
Business
Security perimeter is rendered ineffective; internal application logic becomes directly accessible to external threat actors.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary system commands through the compromised function invocation, establishing persistence or exfiltrating sensitive data.
Business
Confidentiality, integrity, and availability of systems and data are compromised; incident response and recovery costs escalate significantly.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05