Login Sign Up

CVE-2021-36564

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

ThinkPHP v6.0.8 contains a deserialization vulnerability in the Flysystem cached adapter component that allows remote code execution. Attackers can exploit this by sending specially crafted requests to vulnerable endpoints. This affects all systems running ThinkPHP v6.0.8 with the vulnerable component.

💻 Affected Systems

Products:
  • ThinkPHP
Versions: v6.0.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the league/flysystem-cached-adapter component to be present and used in the application.

📦 What is this software?

Thinkphp by Thinkphp

View all CVEs affecting Thinkphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to execute arbitrary commands, install malware, steal data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web shell deployment, data exfiltration, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if proper input validation and deserialization controls are in place, potentially resulting in denial of service only.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and vulnerable to unauthenticated exploitation.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public proof-of-concept exploits exist and are actively used in attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.0.9 and later

Vendor Advisory: https://github.com/top-think/framework/issues/2559

Restart Required: No

Instructions:

1. Update ThinkPHP to version 6.0.9 or later using composer update topthink/framework. 2. Verify the update completed successfully. 3. Test application functionality.

🔧 Temporary Workarounds

Remove vulnerable component

all

Temporarily remove or disable the league/flysystem-cached-adapter component if not essential

composer remove league/flysystem-cached-adapter

Input validation filter

all

Implement strict input validation for all user-controlled data before deserialization

🧯 If You Can't Patch

  • Implement WAF rules to block deserialization attempts and suspicious PHP object injection patterns
  • Restrict network access to vulnerable applications using firewall rules and network segmentation

🔍 How to Verify

Check if Vulnerable:

Check composer.json for 'topthink/framework' version 6.0.8 and presence of 'league/flysystem-cached-adapter' package

Check Version:

composer show topthink/framework | grep versions

Verify Fix Applied:

Verify composer.json shows 'topthink/framework' version 6.0.9 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests with serialized data
  • PHP error logs containing deserialization warnings
  • Web shell file creation in web directories

Network Indicators:

  • HTTP requests containing serialized PHP objects
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("__destruct" OR "__wakeup" OR "O:" OR "C:" OR "unserialize")

📊 Metadata

CVE ID: CVE-2021-36564
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: December 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36564, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)