CVE-2022-47945: 
PHP vulnerability analysis and mitigation

CVE-2022-47945 is a local file inclusion (LFI) vulnerability affecting ThinkPHP Framework versions before 6.0.14. The vulnerability exists when the language pack feature is enabled (langswitchon=true), allowing an unauthenticated and remote attacker to exploit the 'lang' parameter to execute arbitrary operating system commands (NVD, CVE).

The vulnerability stems from improper handling of the 'lang' parameter in ThinkPHP's language pack feature. When the language pack functionality is enabled, the framework processes language selection through GET parameters, headers, or cookies without proper validation. This allows attackers to perform directory traversal and achieve arbitrary file inclusion. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on affected systems. This can lead to complete system compromise, including unauthorized access to sensitive data, system modification, and potential service disruption (NVD).

Organizations are strongly advised to upgrade ThinkPHP to version 6.0.14 or later. Additional mitigation measures include monitoring and blocking known malicious IPs attempting to exploit this vulnerability, and restricting exposure to affected services where possible to limit the attack surface (SecurityOnline).

Security researchers have noted that this vulnerability, despite not being included in CISA's Known Exploited Vulnerabilities (KEV) catalog, has seen significant exploitation attempts. The disparity between its low EPSS score and actual exploitation rates has raised questions about how organizations prioritize vulnerability patching (GreyNoise).