Login Sign Up

CVE-2022-45982

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This CVE describes a deserialization vulnerability in ThinkPHP framework that allows attackers to execute arbitrary code on affected systems. Attackers can exploit this by sending specially crafted payloads to vulnerable endpoints. All applications using affected ThinkPHP versions are at risk.

💻 Affected Systems

Products:
  • ThinkPHP
Versions: 6.0.0 through 6.0.13, 6.1.0 through 6.1.1
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All applications using affected ThinkPHP versions are vulnerable regardless of configuration.

📦 What is this software?

Thinkphp by Thinkphp

View all CVEs affecting Thinkphp →

Thinkphp by Thinkphp

View all CVEs affecting Thinkphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟠

Likely Case

Remote code execution allowing attackers to install malware, exfiltrate sensitive data, or pivot to internal networks.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF rules, and input validation in place.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication via HTTP requests.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available; exploitation requires sending crafted HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ThinkPHP 6.0.14 and 6.1.2

Vendor Advisory: https://github.com/top-think/framework/releases

Restart Required: No

Instructions:

1. Update ThinkPHP framework to version 6.0.14 or 6.1.2 or later. 2. Update composer.json to require the patched version. 3. Run composer update. 4. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to filter deserialization attempts

Implement custom middleware to validate and sanitize all user input before processing

WAF Rule Implementation

all

Deploy web application firewall rules to block deserialization payloads

Add WAF rules to detect and block serialized object patterns in HTTP requests

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check ThinkPHP version in composer.json or via framework's version method

Check Version:

php think version

Verify Fix Applied:

Verify ThinkPHP version is 6.0.14+ or 6.1.2+ and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests with serialized data patterns
  • PHP error logs showing deserialization errors
  • Unexpected process execution from web server

Network Indicators:

  • HTTP requests containing serialized object patterns
  • Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND ("__destruct" OR "__wakeup" OR "O:" OR "C:" OR "a:" OR "s:") AND status=200

📊 Metadata

CVE ID: CVE-2022-45982
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: February 8, 2023
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45982, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)