Proof of Concept Published for PHP (Windows) Vulnerability - 20240610001¶
Overview¶
The Shadow Server Foundation has reported seeing attempts to exploit this Critical vulnerability on their Honeypots.
This vulnerability in the Windows version of PHP may allow an actor to reveal the source code of scripts, run arbitrary PHP code on the server, and similar actions.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
|---|---|---|---|---|---|
| CVE-2024-4577 | Critical | 9.8 | versions before 8.1.29, 8.2.20, 8.3.8 | When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run. | 6 June 2024 |
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer Patch Management):
- https://www.php.net/
Additional References¶
- https://x.com/Shadowserver/status/1799053497490698548
- https://securityonline.info/researchers-detail-critical-php-flaw-cve-2024-4577-with-poc-exploit-code/
- https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/