An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.