CVE-2025-50707
Published: 05 August 2025
Summary
CVE-2025-50707 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-50707 is a code injection vulnerability, tracked under CWE-94, that affects ThinkPHP version 3.2.5. The flaw resides in the index.php component and permits remote attackers to execute arbitrary code on the server. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction, resulting in complete confidentiality, integrity, and availability impact.
An unauthenticated remote attacker can send a crafted request to the index.php endpoint and achieve arbitrary code execution on the affected ThinkPHP installation, allowing full system compromise without any prior access.
Public references consist of technical write-ups hosted on xinyisleep.github.io that detail the issue and reference a related Chinese vulnerability identifier (CNVD-2024-39045), though no official vendor advisory or patch information is supplied in the available data.
The EPSS score remains flat at 0.0440 with no observed increase after disclosure, and no reports of active exploitation are present in the provided details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23627
Vulnerability details
An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing ThinkPHP web component (CWE-94) enables remote exploitation of the application without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the arbitrary code execution flaw in ThinkPHP 3.2.5's index.php component through identification, reporting, and correction of vulnerabilities.
Enforces validation of information inputs to the index.php component, preventing code injection exploits classified under CWE-94.
Implements boundary protection such as web application firewalls to monitor and control network traffic targeting the vulnerable index.php, blocking exploitation attempts.