CVE-2024-4577

Confirmed PUBLISHED

Argument Injection in PHP-CGI

PHP Group · PHP
Exploited in the wild Used in malware PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
9.8 Critical EPSS 100.0%

At a Glance

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

windows nuclei_scanner ransomware malware nessus_scanner metasploit apache php cisa
CVE Published
Jun 09, 2024
Exploitation Reported
Jun 12, 2024
CVSS
9.8 Critical
EPSS
100.0%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
php_group
php

8.1.0 to < 8.1.29

Affected
php_group
php

8.2.0 to < 8.2.20

Affected
php_group
php

8.3.0 to < 8.3.8

Affected
PHP Group
PHP

8.1.* to < 8.1.29

Affected
PHP Group
PHP

8.2.* to < 8.2.20

Affected
PHP Group
PHP

8.3.* to < 8.3.8

Affected

CVE References

Show 14 more references

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.