Cyber Resilience

CVE-2025-50706

CriticalPublic PoCRCE

Published: 05 August 2025

Published
05 August 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0440 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50706 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-50706 is a code injection vulnerability (CWE-94) affecting ThinkPHP version 5.1. The flaw resides in the routecheck function and permits remote attackers to supply crafted input that results in arbitrary code execution on the server.

A remote, unauthenticated attacker can exploit the issue over the network with low complexity. Successful exploitation grants complete control over the affected application, allowing arbitrary code execution that impacts confidentiality, integrity, and availability.

The provided references point to technical write-ups detailing the routecheck flaw and related file-inclusion behavior in ThinkPHP 5.1, but contain no vendor advisory, patch information, or official mitigation guidance. The EPSS score remains flat at 0.0440 with no observed upward trajectory after disclosure.

EU & UK References

Vulnerability details

An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via code injection in public-facing ThinkPHP web app maps cleanly to exploitation of internet-facing software for initial access and arbitrary execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-50707Same product: Thinkphp Thinkphp
CVE-2018-25270Same product: Thinkphp Thinkphp
CVE-2025-63888Same product: Thinkphp Thinkphp
CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94

Affected Assets

thinkphp
thinkphp
5.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the code injection vulnerability in ThinkPHP 5.1's routecheck function by applying patches or upgrades to prevent arbitrary code execution.

prevent

Information input validation checks and sanitizes inputs to the routecheck function, blocking malicious code injection attempts by remote attackers.

prevent

Prohibiting unsupported system components like ThinkPHP 5.1 prevents deployment and use of software known to contain critical code injection vulnerabilities.

References