CVE-2024-4577
Confirmed PUBLISHEDArgument Injection in PHP-CGI
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
- CVE Published
- Jun 09, 2024
- Exploitation Reported
- Jun 12, 2024
- CVSS
- 9.8 Critical
- EPSS
- 100.0%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| php_group |
php
|
8.1.0 to < 8.1.29 |
Affected |
| php_group |
php
|
8.2.0 to < 8.2.20 |
Affected |
| php_group |
php
|
8.3.0 to < 8.3.8 |
Affected |
| PHP Group |
PHP
|
8.1.* to < 8.1.29 |
Affected |
| PHP Group |
PHP
|
8.2.* to < 8.2.20 |
Affected |
| PHP Group |
PHP
|
8.3.* to < 8.3.8 |
Affected |
CVE References
- GitHub — php/php-src github.com · CVE Record https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv
- blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html blog.orange.tw · CVE Record https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
- devco.re/blog/2024/06/06/security-alert-cve-2024-4577... devco.re · CVE Record https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi...
- arstechnica.com/security/2024/06/php-vulnerability-allows-at... arstechnica.com · CVE Record https://arstechnica.com/security/2024/06/php-vulnerability-allows-att...
- imperva.com/blog/imperva-protects-against-critical-php-v... imperva.com · CVE Record https://www.imperva.com/blog/imperva-protects-against-critical-php-vu...
Show 14 more references
- GitHub — 11whoami99/CVE-2024-4577 github.com · CVE Record https://github.com/11whoami99/CVE-2024-4577
- GitHub — xcanwin/CVE-2024-4577-PHP-RCE github.com · CVE Record https://github.com/xcanwin/CVE-2024-4577-PHP-RCE
- GitHub — rapid7/metasploit-framework github.com · CVE Record https://github.com/rapid7/metasploit-framework/pull/19247
- labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577 labs.watchtowr.com · CVE Record https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- GitHub — watchtowrlabs/CVE-2024-4577 github.com · CVE Record https://github.com/watchtowrlabs/CVE-2024-4577
- php.net/ChangeLog-8.php php.net · CVE Record https://www.php.net/ChangeLog-8.php#8.1.29
- php.net/ChangeLog-8.php php.net · CVE Record https://www.php.net/ChangeLog-8.php#8.2.20
- php.net/ChangeLog-8.php php.net · CVE Record https://www.php.net/ChangeLog-8.php#8.3.8
- cert.be/en/advisory/warning-php-remote-code-executio... cert.be · CVE Record https://cert.be/en/advisory/warning-php-remote-code-execution-patch-i...
- isc.sans.edu/diary/30994 isc.sans.edu · CVE Record https://isc.sans.edu/diary/30994
- OSS-Security Mailing List openwall.com · CVE Record http://www.openwall.com/lists/oss-security/2024/06/07/1
- lists.fedoraproject.org/archives/list/[email protected]... lists.fedoraproject.org · CVE Record https://lists.fedoraproject.org/archives/list/package-announce@lists....
- lists.fedoraproject.org/archives/list/[email protected]... lists.fedoraproject.org · CVE Record https://lists.fedoraproject.org/archives/list/package-announce@lists....
- security.netapp.com/advisory/ntap-20240621-0008 security.netapp.com · CVE Record https://security.netapp.com/advisory/ntap-20240621-0008/
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2024-06-12 00:00 UTC |
| The Shadowserver | 2026-05-31 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4577.yaml | Apr 25, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2024-06-12 00:00:00 UTC · CISA
Used in malware
Recorded 2024-06-12 00:00:00 UTC · CISA
Proof of concept available
Recorded 2024-07-11 02:22:32 UTC · GitHub
Weaknesses (CWE)
-
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4577.yaml | Apr 25, 2025 |
| Nessus | https://www.tenable.com/plugins/nessus/214953 | Feb 04, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-11-06 05:30:33 UTC · 23 stars
CVE-2024-4577 RCE PoC
github · Created 2024-10-14 09:11:06 UTC · 4 stars
github · Created 2024-10-04 13:10:19 UTC · 3 stars
A Bash script designed to scan multiple domains for the CVE-2024-4577 vulnerability in PHP-CGI.
github · Created 2024-09-12 19:27:52 UTC · 2 stars
github · Created 2024-08-20 02:56:03 UTC · 20 stars
PHP CGI Argument Injection (CVE-2024-4577) RCE
github · Created 2024-07-15 21:31:14 UTC · 5 stars
Automated PHP remote code execution scanner for CVE-2024-4577
github · Created 2024-07-11 02:22:32 UTC · 4 stars
ATTACK PoC - PHP CVE-2024-4577
github · Created 2024-07-06 19:37:14 UTC · 7 stars
PoC - PHP CGI Argument Injection CVE-2024-4577 (Scanner and Exploit)
github · Created 2024-06-28 14:11:15 UTC · 2 stars
Create lab for CVE-2024-4577
github · Created 2024-06-15 02:49:37 UTC · 11 stars
Argument injection vulnerability in PHP
github · Created 2024-06-13 14:25:04 UTC · 3 stars
Fixed and minimalist PoC of the CVE-2024-4577
github · Created 2024-06-09 23:32:11 UTC · 9 stars
A PoC exploit for CVE-2024-4577 - PHP CGI Argument Injection Remote Code Execution (RCE)
github · Created 2024-06-09 14:18:21 UTC · 29 stars
PHP CGI Argument Injection vulnerability
github · Created 2024-06-08 13:04:45 UTC · 144 stars
[漏洞复现] 全球首款利用PHP默认环境(XAMPP)的CVE-2024-4577 PHP-CGI RCE 漏洞 EXP。
github · Created 2024-06-08 12:23:35 UTC · 26 stars
PHP RCE PoC for CVE-2024-4577 written in bash, go, python and a nuclei template
github · Created 2024-06-08 05:27:44 UTC · 9 stars
Proof Of Concept RCE exploit for critical vulnerability in PHP <8.2.15 (Windows), allowing attackers to execute arbitrary commands.
github · Created 2024-06-08 03:12:28 UTC · 3 stars
CVE-2024-4577 nuclei-templates
github · Created 2024-06-07 17:02:52 UTC · 0 stars
github · Created 2024-06-07 10:40:37 UTC · 19 stars
github · Created 2024-06-07 09:52:54 UTC · 275 stars
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
github · Created 2024-06-07 09:51:39 UTC · 44 stars
POC & $BASH script for CVE-2024-4577
github · Created 2024-06-07 09:42:40 UTC · 2 stars
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
github · Created 2024-06-07 05:50:23 UTC · 79 stars
CVE-2024-4577 is a critical vulnerability in PHP affecting CGI configurations, allowing attackers to execute arbitrary commands via crafted URL parameters.
nuclei · Created Unknown
metasploit · Created Unknown
Metasploit module for CVE-2024-4577
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC about 2 months ago00:00 UTC · about 2 months ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
20:07 UTC over 1 year ago20:07 UTC · over 1 year ago
Nessus plugin available
Scanner coverage available
-
02:22 UTC about 2 years ago02:22 UTC · about 2 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC about 2 years ago00:00 UTC · about 2 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
00:00 UTC about 2 years ago00:00 UTC · about 2 years ago
First public exploitation report
Exploit observed in malware
-
19:42 UTC about 2 years ago19:42 UTC · about 2 years ago
CVE published
Vulnerability disclosed publicly
-
22:21 UTC about 2 years ago22:21 UTC · about 2 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2024-4577
{
"cve_id": "CVE-2024-4577",
"title": "Argument Injection in PHP-CGI",
"affected_vendor": "PHP Group",
"affected_product": "PHP",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": 0.99987,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}