CVE-2022-47945

Confirmed PUBLISHED

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Not yet in CISA KEV

Exploited in the wild Active exploitation observed PoC available Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
1,958
Unique Attacker IPs
338
CISA KEV
Not yet in CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
9.8 Critical EPSS 15.5%

At a Glance

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

nuclei_scanner php
CVE Published
Dec 23, 2022
Exploitation Reported
Jun 21, 2025
CVSS
9.8 Critical
EPSS
15.5%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
n/a
n/a

n/a

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.