Cyber Resilience

CVE-2025-50707

CriticalPublic PoCRCE

Published: 05 August 2025

Published
05 August 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0440 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50707 is a critical-severity Code Injection (CWE-94) vulnerability in Thinkphp Thinkphp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50707 is a code injection vulnerability, tracked under CWE-94, that affects ThinkPHP version 3.2.5. The flaw resides in the index.php component and permits remote attackers to execute arbitrary code on the server. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction, resulting in complete confidentiality, integrity, and availability impact.

An unauthenticated remote attacker can send a crafted request to the index.php endpoint and achieve arbitrary code execution on the affected ThinkPHP installation, allowing full system compromise without any prior access.

Public references consist of technical write-ups hosted on xinyisleep.github.io that detail the issue and reference a related Chinese vulnerability identifier (CNVD-2024-39045), though no official vendor advisory or patch information is supplied in the available data.

The EPSS score remains flat at 0.0440 with no observed increase after disclosure, and no reports of active exploitation are present in the provided details.

EU & UK References

Vulnerability details

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE in public-facing ThinkPHP web component (CWE-94) enables remote exploitation of the application without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-50706Same product: Thinkphp Thinkphp
CVE-2018-25270Same product: Thinkphp Thinkphp
CVE-2025-63888Same product: Thinkphp Thinkphp
CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94

Affected Assets

thinkphp
thinkphp
3.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the arbitrary code execution flaw in ThinkPHP 3.2.5's index.php component through identification, reporting, and correction of vulnerabilities.

prevent

Enforces validation of information inputs to the index.php component, preventing code injection exploits classified under CWE-94.

preventdetect

Implements boundary protection such as web application firewalls to monitor and control network traffic targeting the vulnerable index.php, blocking exploitation attempts.

References