Login Sign Up

CVE-2021-23592

7.7 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through insecure deserialization in the topthink/framework PHP package. It affects all applications using versions before 6.0.12 of this framework. Attackers can exploit this to gain control over affected systems.

💻 Affected Systems

Products:
  • topthink/framework
Versions: All versions before 6.0.12
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using the vulnerable Driver class for deserialization operations.

📦 What is this software?

Thinkphp by Thinkphp

View all CVEs affecting Thinkphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal sensitive data, or use the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper input validation and network segmentation are in place, though deserialization vulnerabilities remain dangerous.

🌐 Internet-Facing: HIGH - Directly exploitable over the network without authentication in many configurations.
🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access; could be used for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Deserialization vulnerabilities are commonly exploited and weaponized; proof-of-concept code is available in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.12

Vendor Advisory: https://github.com/top-think/framework/releases/tag/v6.0.12

Restart Required: Yes

Instructions:

1. Update composer.json to require "topthink/framework": "^6.0.12"
2. Run composer update topthink/framework
3. Restart your PHP application/web server

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject any untrusted serialized data before it reaches the Driver class.

Disable Vulnerable Features

all

If possible, disable or restrict usage of the affected Driver class methods that perform deserialization.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected systems from critical assets
  • Deploy web application firewall (WAF) rules to block serialized data patterns

🔍 How to Verify

Check if Vulnerable:

Check composer.json or composer.lock for topthink/framework version; if version is <6.0.12, the system is vulnerable.

Check Version:

composer show topthink/framework | grep versions

Verify Fix Applied:

After updating, verify that composer.lock shows topthink/framework version 6.0.12 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP errors related to unserialize()
  • Suspicious POST/PUT requests containing serialized data patterns
  • Unexpected process execution from web server context

Network Indicators:

  • HTTP requests containing serialized PHP object patterns (O:数字, s:数字)
  • Outbound connections from web servers to unknown external IPs

SIEM Query:

source="web_logs" AND ("unserialize" OR "O:\d+" OR "s:\d+")

📊 Metadata

CVE ID: CVE-2021-23592
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-502
Published: May 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23592, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)