Threat actors have been ramping up the exploitation of two old vulnerabilities in ThinkPHP and OwnCloud, threat intelligence firm GreyNoise warns.

The ThinkPHP issue, tracked as CVE-2022-47945 (CVSS score of 9.8), is described as a local file inclusion flaw via the ‘lang’ parameter. It affects the ThinkPHP framework iterations prior to version 6.0.14 that have the language pack feature enabled.

“An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands,” a NIST advisory reads.

The security defect is not included in US cybersecurity agency CISA’s Known Exploited Vulnerabilities (KEV) catalog and has not drawn much attention, although threat actors have been exploiting it in the wild, GreyNoise notes.

The OwnCloud bug, tracked as CVE-2023-49103 (CVSS score of 10) and affecting the ‘graphapi’ app, leads to the disclosure of the PHP environment’s configuration details (phpinfo) through a URL in a third-party library.

Exploitation of the vulnerability started only days after its public disclosure in November 2023, when Shadowserver Foundation warned that there were roughly 11,000 OwnCloud instances exposed to the internet.

CISA added CVE-2023-49103 to the KEV catalog on November 30, 2023, and warned roughly one year later that it had become one of the top routinely exploited vulnerabilities.

According to GreyNoise, the threat activity around both vulnerabilities has surged significantly over the past 10 days, as attackers are scanning for vulnerable instances and attempting to exploit them.

The threat intelligence firm says it has observed 572 unique IPs attempting to exploit the ThinkPHP bug and 484 unique IPs targeting the OwnCloud defect.

Organizations are advised to apply the available patches for both ThinkPHP and OwnCloud, to reduce their attack surface by limiting access to vulnerable services, and to monitor and block known malicious IPs.

Related: Trimble Cityworks Customers Warned of Zero-Day Exploitation

Related: CISA Issues Exploitation Warning for .NET Vulnerability

Related: Exploitation of Over 700 Vulnerabilities Came to Light in 2024

Related: Adobe Patches ColdFusion Flaw at High Risk of Exploitation