This live blog contains information regarding a PHP CGI Argument Injection Vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on June 11, 2024.
Update 12 June
A proof of concept was published this week and is now being actively abused. Research by T-CERT shows that more than 70 servers in the Netherlands are vulnerable to this exploit. Malware campaigns have also been seen that actively abuse this vulnerability, which once again underlines the importance of patching.
Background
A severe vulnerability has been discovered in the PHP CGI (Common Gateway Interface) implementation, allowing unauthenticated attackers to inject special arguments via the URL. This can lead to the execution of arbitrary code on Windows servers. The issue arises from PHP CGI’s insecure handling of arguments, enabling command injection that the server executes.
CVE-2024-4577 has a CVSS-score of 9.8. This indicates a high risk of abuse and significant impact.
Potential Risk
This vulnerability affects all PHP versions on Windows systems, particularly:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Attackers can compromise servers, potentially gaining full control over the system. Standard XAMPP configurations and specific Windows locales are especially vulnerable.
Advise
The best way to mitigate this vulnerability is by updating to the latest PHP versions (PHP 8.3.8, 8.2.20, and 8.1.29).
For systems that cannot be updated immediately, it is recommended to implement temporary rewrite rules that block dangerous URL patterns.
Using safer architectures like Mod-PHP or PHP-FPM offers a structural solution, as they do not share the same vulnerabilities as the CGI implementation. These steps help prevent attackers from exploiting the vulnerability and ensure a more secure server environment.
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.