PHP Vulnerability Active Exploitation - 20240712003¶
Overview¶
The WA SOC has been made aware of a vulnerability in versions of PHP that when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behaviour to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
What is vulnerable?¶
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
|---|---|---|---|---|
| PHP | Versions before 8.1.29, 8.2.20, 8.3.8 | CVE-2024-4577 | 9.8 | Critical |
What has been observed?¶
Since the Publication of Advisory #20240610001, the WA SOC has been made aware of active exploitation of the vulnerability. The WA SOC strongly advises administrators to apply patches to all affected systems, and also to monitor for any unexpected or suspicious behaviour.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):
Additional References¶
- WA SOC: https://soc.cyber.wa.gov.au/advisories/20240610001-PoC-PHP-vulnerability
- The Hacker News: https://thehackernews.com/2024/07/php-vulnerability-exploited-to-spread.html