GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing. 

  • CVE-2022-47945 (ThinkPHP LFI) – A local file inclusion vulnerability in ThinkPHP that is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog and has a low EPSS score (7%), yet GreyNoise has observed a surge in exploitation attempts. 
  • CVE-2023-49103 (ownCloud GraphAPI Information Disclosure) – A vulnerability already highlighted in a joint advisory from CISA, NSA, and FBI as one of the most exploited in 2023, and exploitation continues to rise. 

Both vulnerabilities highlight a growing concern in how organizations prioritize patching:

  • Are security teams overlooking major threats because they don’t appear in KEV or have low EPSS scores?
  • How many other actively exploited vulnerabilities are slipping through the cracks?

What We’re Seeing: Surging Exploitation Activity 

GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.

Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)

Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)

Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats. 

CVE-2022-47945 (ThinkPHP LFI) - A Growing Target

  • ThinkPHP before version 6.0.14 is vulnerable to local file inclusion (LFI) via the `lang` parameter when language packs are enabled.
  • GreyNoise has observed 572 unique IPs attempting to exploit this vulnerability, with activity increasing in recent days. 
  • ThinkPHP vulnerabilities have been targeted by Chinese attackers in past campaigns. 

VIEW LIVE EXPLOITATION ACTIVITY

CVE-2023-49103 (ownCloud GraphAPI) - Still Under Attack

  • An information disclosure vulnerability affecting ownCloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
  • Added to CISA KEV in November 2023, reinforcing its status as a known exploited vulnerability. 
  • GreyNoise has observed 484 unique IPs attempting exploitation, with confirmed threat actor activity.

VIEW LIVE EXPLOITATION ACTIVITY

Key Takeaways for Security Teams

  • EPSS and KEV don’t always align with real-world risk. CVE-2022-47945 has a low EPSS score (7%) yet is actively being exploited. 
  • CVE-2023-49103 remains a high-value target after being listed on KEV over a year ago. 
  • Real-time attack data is critical. Organizations overrelying on KEV and EPSS risk overlooking threats that attackers are actively scanning and exploiting. What’s being targeted and when can change in an instant, necessitating a real-time view of attacker activity. 

Mitigation Recommendations

  • Patch immediately — Upgrade ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+.
  • Monitor and block known malicious IPs — Use real-time GreyNoise data to track and mitigate active threats. 
  • Restrict exposure — Reduce access to affected services where possible to limit attack surface. 

Block Known Malicious IPs Now: CVE-2023-49103, CVE-2022-47945

A Larger Trend: Are We Prioritizing the Wrong Vulnerabilities? 

The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management. 

  • How many actively exploited vulnerabilities are being overlooked due to low EPSS scores?
  • Are organizations placing too much trust in KEV alone, and EPSS, when prioritizing patching? 
  • What role should real-time exploitation intelligence play in risk management? 

Attackers are making their priorities clear. See live exploitation trends now for  CVE-2023-49103 and CVE-2022-47945.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account