The exploit is available to everyone. Only upgrading to the latest version will save the web ecosystem from RCE.
Security researchers from the Taiwanese company DEVCORE have discovered a serious vulnerability affecting PHP installations on Windows in CGI mode. Identified as CVE-2024-4577 (CVSS rating has not yet been determined), the problem allows attackers to substitute command-line arguments, which can lead to remote code execution (RCE).
According to DEVCORE experts, the problem "grows" from another vulnerability-CVE-2012-1823, since the newly discovered bug allows you to bypass the protection implemented against it using certain character sequences.
CVE-2024-4577 affects all versions of PHP installed on the Windows operating system, namely:
Due to the widespread use of PHP in the web ecosystem, as well as the ease of use of the vulnerability, experts classified it as critical and immediately reported it to the official PHP team. The vulnerability report was published after the release of the corrected version of PHP, available for download on the official website.
According to experts, the vulnerability can potentially affect millions of websites and services running on Windows servers with PHP in CGI mode. However, at the time of writing the research article, it was only confirmed that an unauthorized attacker can directly execute arbitrary code on a remote server in the following interface localizations: traditional Chinese, simplified Chinese, and Japanese.
For Windows instances running in other localizations, due to the wide range of PHP usage scenarios, the authors of the study report that it is currently impossible to fully list or exclude all possible usage scenarios.
Administrators are encouraged to conduct a comprehensive asset assessment on their own, check their use cases, and update PHP to the latest version for security reasons.
It should also be taken into account that an exploit for this vulnerability has already been developed and published by specialists from watchTowr Labs, who described it as easily reproducible. In this regard, it is clearly not worth delaying the transition to the corrected version of PHP.
In addition, to prevent possible attacks, it is also recommended to regularly check server configurations, conduct security audits, and train employees in the safe use and administration of systems.
Security researchers from the Taiwanese company DEVCORE have discovered a serious vulnerability affecting PHP installations on Windows in CGI mode. Identified as CVE-2024-4577 (CVSS rating has not yet been determined), the problem allows attackers to substitute command-line arguments, which can lead to remote code execution (RCE).
According to DEVCORE experts, the problem "grows" from another vulnerability-CVE-2012-1823, since the newly discovered bug allows you to bypass the protection implemented against it using certain character sequences.
CVE-2024-4577 affects all versions of PHP installed on the Windows operating system, namely:
- from PHP version 8.3 to 8.3.8;
- from PHP version 8.2 to 8.2.20;
- from PHP version 8.1 to 8.1.29.
Due to the widespread use of PHP in the web ecosystem, as well as the ease of use of the vulnerability, experts classified it as critical and immediately reported it to the official PHP team. The vulnerability report was published after the release of the corrected version of PHP, available for download on the official website.
According to experts, the vulnerability can potentially affect millions of websites and services running on Windows servers with PHP in CGI mode. However, at the time of writing the research article, it was only confirmed that an unauthorized attacker can directly execute arbitrary code on a remote server in the following interface localizations: traditional Chinese, simplified Chinese, and Japanese.
For Windows instances running in other localizations, due to the wide range of PHP usage scenarios, the authors of the study report that it is currently impossible to fully list or exclude all possible usage scenarios.
Administrators are encouraged to conduct a comprehensive asset assessment on their own, check their use cases, and update PHP to the latest version for security reasons.
It should also be taken into account that an exploit for this vulnerability has already been developed and published by specialists from watchTowr Labs, who described it as easily reproducible. In this regard, it is clearly not worth delaying the transition to the corrected version of PHP.
In addition, to prevent possible attacks, it is also recommended to regularly check server configurations, conduct security audits, and train employees in the safe use and administration of systems.
