PHP CGI Module Vulnerability Allows Malicious User to Reveal Source Code and Run Arbitrary PHP Code on Server
Key Information
- Vendor
- PHP Group
- Status
- PHP
- Vendor
- CVE Published:
- 9 June 2024
Badges
Summary
The vulnerability, identified as CVE-2024-4577, affects PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows. It allows unauthenticated attackers to bypass protections and execute arbitrary code on remote PHP servers through an argument injection attack. The flaw in the Best-Fit feature of Windows' encoding conversion enables attackers to reveal source code, run arbitrary PHP code on the server, and potentially execute malicious activities. The affected PHP versions are 8.3 < 8.3.8, 8.2 < 8.2.20, and 8.1 < 8.1.29, and the vulnerability particularly threatens servers running PHP on Windows in Traditional Chinese, Simplified Chinese, and Japanese locales. Exploiting this vulnerability can allow attackers to execute arbitrary code through the PHP interpreter, posing a widespread threat to server administrators. Researchers advise immediate action by evaluating systems and implementing the recommended patches or upgrading to the latest PHP versions. Additionally, administrators should consider moving away from CGI altogether and opting for more modern solutions such as Mod-PHP, FastCGI, or PHP-FPM. It is important to note that this vulnerability is actively being exploited, and the recommended patches should be implemented promptly to mitigate this critical risk.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-4577 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
PHP <= 8.1.*
PHP < 8.1.29
PHP < 8.2.20
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
@Securelist CVE-2024-4577CVE-2024-26229Analyzing the vulnerability landscape in Q2 2024
The report contains statistics on vulnerabilities and exploits, with an analysis of interesting vulnerabilities found in Q2 2024.
1 month ago
Hackers use PHP exploit to backdoor Windows systems with new malware
Unknown attackers have deployed a newly discovered backdoor dubbed Msupedge on a university's Windows systems in Taiwan, likely by exploiting a recently patched PHP remote code execution vulnerability (CVE-2024-4577).
1 month ago
高危!PHP CGI Windows平台远程代码执行漏洞风险通告
近日,亚信安全CERT监控到安全社区研究人员发布安全通告,披露了PHP CGI Windows平台存在远程代码执行漏洞(CVE-2024-4577)。该漏洞发生在PHP在Window平台运行且使用特定语系的情况下。攻击者可在无需登陆的情况下,构造恶意请求绕过CVE-2012-1823 的保护,执行任意PHP代码。
2 months ago
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit exists.
- 🔥
Vulnerability reached the number 1 worldwide trending spot.
Vulnerability started trending.
Vulnerability published.
First article discovered by Heise Online
Vulnerability Reserved.