CVE-2025-50706
Published: 05 August 2025
Summary
CVE-2025-50706 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-50706 is a code injection vulnerability (CWE-94) affecting ThinkPHP version 5.1. The flaw resides in the routecheck function and permits remote attackers to supply crafted input that results in arbitrary code execution on the server.
A remote, unauthenticated attacker can exploit the issue over the network with low complexity. Successful exploitation grants complete control over the affected application, allowing arbitrary code execution that impacts confidentiality, integrity, and availability.
The provided references point to technical write-ups detailing the routecheck flaw and related file-inclusion behavior in ThinkPHP 5.1, but contain no vendor advisory, patch information, or official mitigation guidance. The EPSS score remains flat at 0.0440 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23628
Vulnerability details
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via code injection in public-facing ThinkPHP web app maps cleanly to exploitation of internet-facing software for initial access and arbitrary execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses the code injection vulnerability in ThinkPHP 5.1's routecheck function by applying patches or upgrades to prevent arbitrary code execution.
Information input validation checks and sanitizes inputs to the routecheck function, blocking malicious code injection attempts by remote attackers.
Prohibiting unsupported system components like ThinkPHP 5.1 prevents deployment and use of software known to contain critical code injection vulnerabilities.