CVE-2018-25270
Received Received - Intake
Remote Code Execution in ThinkPHP 5.0.23 via Routing Parameter

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: VulnCheck

Description
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25270
EUVD
EUVD-2018-21786
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thinkphp thinkphp From 5.0.0 (inc) to 5.0.23 (exc)
thinkphp thinkphp 5.1.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ThinkPHP version 5.0.23 and allows remote attackers to execute arbitrary PHP code without authentication. It occurs because attackers can manipulate the routing parameter to invoke functions, enabling them to run system commands with the same privileges as the application by sending crafted requests to the index.php endpoint.

Impact Analysis

The impact of this vulnerability is severe as it allows unauthenticated remote attackers to execute arbitrary code on the affected system. This can lead to full system compromise, data theft, data loss, service disruption, or the attacker gaining control over the application and potentially the underlying server.

Compliance Impact

CVE-2018-25270 is a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code with application privileges. This can lead to unauthorized access, data breaches, and manipulation of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using vulnerable versions of ThinkPHP may face increased risk of non-compliance due to the possibility of data exposure or system compromise resulting from this vulnerability.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the vulnerable ThinkPHP application's index.php endpoint, specifically targeting the invokefunction mechanism.

A typical detection command involves using curl or similar HTTP clients to send a request that attempts to execute a harmless command such as phpinfo() to verify if remote code execution is possible.

  • curl "http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r 'phpinfo();'"

If the response contains PHP information output, it confirms the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include applying proper input validation and authorization checks on the routing parameters to prevent unauthorized invocation of functions.

Updating ThinkPHP to a version later than 5.0.23 or 5.1.31 where this vulnerability is fixed is strongly recommended.

Additionally, restricting access to the index.php endpoint or disabling the invokefunction mechanism if not needed can reduce the attack surface.

Monitoring and blocking suspicious requests that attempt to exploit the invokefunction parameter can also help mitigate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart