CVE-2020-23653
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on ThinkAdmin systems by exploiting insecure unserialize functions in specific API controllers. It affects ThinkAdmin versions 4.x through 6.x, potentially compromising any server running these vulnerable versions.
💻 Affected Systems
- ThinkAdmin
📦 What is this software?
Thinkadmin by Thinkadmin
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with full remote code execution, data theft, and potential lateral movement within the network.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, and server takeover.
If Mitigated
Attack blocked at perimeter with proper input validation and serialization controls in place.
🎯 Exploit Status
CVSS 9.8 indicates critical severity with low attack complexity and no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.1.12 or later
Vendor Advisory: https://github.com/zoujingli/ThinkAdmin/issues/238
Restart Required: No
Instructions:
1. Update ThinkAdmin to version 6.1.12 or later. 2. Replace vulnerable files with patched versions from official repository. 3. Clear any cached files or compiled templates.
🔧 Temporary Workarounds
Disable vulnerable endpoints
allTemporarily disable or restrict access to the vulnerable API endpoints
# Add rewrite rules to block access to vulnerable paths
# For Apache: RewriteRule ^app/(admin|wechat)/controller/api/(Update|Push)\.php$ - [F]
# For Nginx: location ~ ^/app/(admin|wechat)/controller/api/(Update|Push)\.php$ { return 403; }
Input validation filter
allAdd serialization input validation before processing
# In PHP configuration or application code:
# ini_set('unserialize_callback_func', 'safeguard_function');
# Or implement custom validation for serialized data
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ThinkAdmin instances
- Deploy web application firewall with rules to block serialization payloads
🔍 How to Verify
Check if Vulnerable:
Check if ThinkAdmin version is between 4.x and 6.x, and examine app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php for unserialize() calls without proper validation.Check Version:
Check ThinkAdmin version in configuration files or via composer show zoujingli/think-adminVerify Fix Applied:
Verify ThinkAdmin version is 6.1.12 or later, and check that vulnerable files have been updated with proper input validation for unserialize operations.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /app/admin/controller/api/Update.php or /app/wechat/controller/api/Push.php
- Serialized data in request parameters
- Unexpected PHP process execution
Network Indicators:
- HTTP requests with serialized payloads to vulnerable endpoints
- Outbound connections from web server to unknown destinations
SIEM Query:
source="web_access.log" AND (uri="/app/admin/controller/api/Update.php" OR uri="/app/wechat/controller/api/Push.php") AND (method="POST" OR method="PUT")