CVE-2024-44902 – A deserialization vulnerability in ThinkPHP ver... (How to Fix)

Q: What is the severity of CVE-2024-44902?

CVE-2024-44902 has a CVSS score of 9.8 (CRITICAL). A deserialization vulnerability in ThinkPHP versions 6.1.3 through 8.0.4 allows attackers to execute arbitrary code by sending specially crafted requests. This affects all applications using vulnerable ThinkPHP versions, potentially leading to complete system compromise.

📋 TL;DR

A deserialization vulnerability in ThinkPHP versions 6.1.3 through 8.0.4 allows attackers to execute arbitrary code by sending specially crafted requests. This affects all applications using vulnerable ThinkPHP versions, potentially leading to complete system compromise.

💻 Affected Systems

Products:

ThinkPHP

Versions: 6.1.3 to 8.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Thinkphp by Thinkphp

View all CVEs affecting Thinkphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and cryptocurrency mining malware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF filtering, and minimal privileges, though risk remains significant.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.5

Vendor Advisory: http://thinkphp.com

Restart Required: No

Instructions:

1. Update ThinkPHP to version 8.0.5 or later. 2. Replace all framework files with patched version. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject serialized data in HTTP requests.

Add input filtering middleware to reject unserialize() operations on user input

WAF Rule Implementation

all

Deploy web application firewall rules to block deserialization payloads.

Configure WAF to block requests containing serialized PHP object patterns

🧯 If You Can't Patch

Isolate affected systems behind strict network segmentation
Implement application-level input sanitization and disable unserialize() on user input

🔍 How to Verify

Check if Vulnerable:

Check ThinkPHP version in composer.json or framework files. If version is between 6.1.3 and 8.0.4 inclusive, system is vulnerable.

Check Version:

grep -r "version" composer.json | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Verify ThinkPHP version is 8.0.5 or higher. Test with known exploit payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests with serialized data patterns
PHP unserialize() errors in application logs
Unexpected process execution from web server user

Network Indicators:

HTTP requests containing serialized PHP object patterns
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND ("unserialize" OR "O:" OR "C:" OR "a:" in request_body)

📊 Metadata

CVE ID: CVE-2024-44902

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: September 9, 2024

Last Updated: September 20, 2024

🔗 References

http://thinkphp.com Product
https://github.com/fru1ts/CVE-2024-44902 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44902, you might also want to check these: