📄 Description (English)
ThinkPHP "noneCms" Remote Code Execution Vulnerability — ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.
🤖 AI Executive Summary
CVE-2018-20062 is a critical remote code execution vulnerability in ThinkPHP framework (specifically affecting noneCms) that allows attackers to execute arbitrary code remotely through crafted use of the filter parameter. With a CVSS score of 9.0 and publicly available exploits, this vulnerability has been actively exploited in the wild since its disclosure in 2018. The vulnerability is trivial to exploit and requires no authentication, making it extremely dangerous for any exposed ThinkPHP-based application. Organizations running ThinkPHP-based web applications must patch immediately as this is a well-known and heavily targeted vulnerability.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 10, 2026 22:17
🇸🇦 Saudi Arabia Impact Assessment
ThinkPHP is used in various web applications across Saudi Arabia, particularly in custom-built government portals, e-commerce platforms, and enterprise applications. Government sector websites (NCA-regulated) and educational institutions may be running ThinkPHP-based CMS systems. Banking and financial institutions regulated by SAMA could be affected if any internal or customer-facing applications use this framework. Energy sector companies and telecom providers (STC, Mobily, Zain) with custom web portals built on ThinkPHP are also at risk. The availability of public exploits means Saudi organizations face automated scanning and exploitation attempts from threat actors targeting the Middle East region.
🏢 Affected Saudi Sectors
Government
Banking
E-commerce
Education
Healthcare
Telecom
Energy
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all ThinkPHP-based applications in your environment using asset inventory and web application scanning
2. Immediately update ThinkPHP to version 5.0.23 or later (for 5.0.x) or 5.1.31 or later (for 5.1.x)
3. If patching is not immediately possible, implement WAF rules to block requests containing suspicious 'filter' parameter values, particularly those containing PHP functions like system(), exec(), passthru(), shell_exec()
Detection Rules:
4. Monitor web server logs for requests containing 'filter[]=system' or similar patterns in URL parameters
5. Deploy IDS/IPS signatures for ThinkPHP RCE exploitation attempts (Snort/Suricata rules available)
6. Search for indicators of compromise including webshells and unauthorized processes spawned by web server
Compensating Controls:
7. Restrict access to ThinkPHP applications using network segmentation and IP whitelisting where possible
8. Disable debug mode in production ThinkPHP environments
9. Implement application-level input validation and sanitization
10. Conduct thorough incident response investigation if exploitation is suspected
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع التطبيقات المبنية على ThinkPHP في بيئتكم باستخدام جرد الأصول ومسح تطبيقات الويب
2. تحديث ThinkPHP فوراً إلى الإصدار 5.0.23 أو أحدث (لسلسلة 5.0.x) أو 5.1.31 أو أحدث (لسلسلة 5.1.x)
3. في حال عدم إمكانية التصحيح الفوري، تطبيق قواعد جدار حماية تطبيقات الويب لحظر الطلبات المحتوية على قيم مشبوهة لمعامل 'filter' خاصة تلك المحتوية على دوال PHP مثل system() و exec() و passthru() و shell_exec()
قواعد الكشف:
4. مراقبة سجلات خادم الويب للطلبات المحتوية على 'filter[]=system' أو أنماط مشابهة في معاملات URL
5. نشر توقيعات IDS/IPS لمحاولات استغلال ThinkPHP RCE
6. البحث عن مؤشرات الاختراق بما في ذلك الويب شل والعمليات غير المصرح بها
الضوابط التعويضية:
7. تقييد الوصول إلى تطبيقات ThinkPHP باستخدام تجزئة الشبكة والقوائم البيضاء لعناوين IP
8. تعطيل وضع التصحيح في بيئات الإنتاج
9. تطبيق التحقق من المدخلات وتنقيتها على مستوى التطبيق
10. إجراء تحقيق شامل للاستجابة للحوادث في حال الاشتباه بالاستغلال
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-2:3-1 (Vulnerability Management)
ECC-2:3-2 (Patch Management)
ECC-2:2-1 (Web Application Security)
ECC-2:5-1 (Incident Management)
🔵 SAMA CSF
3.3.3 (Patch Management)
3.3.4 (Vulnerability Management)
3.4.1 (Application Security)
3.3.7 (Web Application Firewall)
🟡 ISO 27001:2022
A.8.8 (Management of technical vulnerabilities)
A.8.9 (Configuration management)
A.8.23 (Web filtering)
A.5.24 (Information security incident management planning)
🟣 PCI DSS v4.0
6.3.3 (Patching security vulnerabilities)
6.4 (Public-facing web applications protection)
11.3 (Penetration testing)
6.2 (Custom application security)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
ThinkPHP:noneCms