CVE-2024-4577
PHP-CGI OS Command Injection Vulnerability - [Actively Exploited]
Description
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
INFO
Published Date :
June 9, 2024, 8:15 p.m.
Last Modified :
Aug. 14, 2024, 7:23 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
3.9
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://www.php.net/ChangeLog-8.php#
Public PoC/Exploit Available at Github
CVE-2024-4577 has a 94 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-4577.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A Bash script designed to scan multiple domains for the CVE-2024-4577 vulnerability in PHP-CGI.
Shell
None
Python C Shell PHP PowerShell ASP.NET
This project is about setting up a Metasploitable 2 virtual machine and a Kali Linux virtual machine in VirtualBox. Then doing some basic hacks on the Metasploitable VM. Then doing a Nessus scan to create a vulnerability report.
这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目
HTML
None
Python
🚨 New Incident Report Completed! 🚨 Just wrapped up "Event ID 268: SOC292 - Possible PHP Injection Detected (CVE-2024-4577)" on LetsDefend.io. This analysis involved investigating an attempted Command Injection targeting our PHP server. Staying ahead of these threats with continuous monitoring and swift containment! 🛡️
Scanning CVE-2024-4577 vulnerability with a url list.
cve-2024-4577
Python
None
None
HTML
PHP CGI Argument Injection (CVE-2024-4577) RCE
Python
CVE-2024-4577 Exploits
Python
None
Python
None
HTML
批量验证POC和EXP
Python
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-4577 vulnerability anywhere in the article.
-
Cybersecurity News
Linux Servers Under Siege: “Perfctl” Malware Evades Detection for Years
The entire attack flow | Image: Aqua NautilusIn a recent report by Aqua Nautilus researchers Assaf Morag and Idan Revivo, the Linux server community has been alerted to the presence of a particularly ... Read more
-
Cybersecurity News
Cyberattack on Delta Prime: Losses Soar to $6M
The Delta Prime platform fell victim to a cyberattack resulting in the theft of cryptocurrency worth approximately $6 million. Initially, losses were reported at around $4.5 million, but the damage la ... Read more
-
The Cyber Express
U.S. Intelligence Agencies Say Chinese Botnet Compromised 260,000 Devices
U.S. intelligence agencies issued a warning today about a Chinese botnet that has compromised 260,000 devices around the globe, including small office/home office (SOHO) routers, firewalls, network-at ... Read more
-
Cybersecurity News
166k+ Projects at Risk: AutoGPT’s Critical Vulnerability Explained – CVE-2024-6091 (CVSS 9.8)
A significant security vulnerability has been discovered in AutoGPT, a powerful AI tool designed to automate tasks through intelligent agents. With over 166k stars on GitHub, AutoGPT has gained popula ... Read more
-
Cybersecurity News
PAN-OS Vulnerabilities: Command Injection (CVE-2024-8686) and GlobalProtect Exposure (CVE-2024-8687)
Palo Alto Networks, a leading cybersecurity solutions provider, has recently released a critical security advisory, urging its customers to take immediate action to address several vulnerabilities dis ... Read more
-
Cybersecurity News
CVE-2024-20017 (CVSS 9.8): Zero-Click Exploit Discovered in Popular Wi-Fi Chipsets, PoC Published
Image: HyprdudeSecurity researcher Hyprdude has published detailed information and a proof-of-concept (PoC) exploit for a critical vulnerability identified as CVE-2024-20017. With a CVSS score of 9.8, ... Read more
-
Kaspersky
IT threat evolution in Q2 2024. Non-mobile statistics
The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures In Q2 2024: Kaspersk ... Read more
-
Cybersecurity News
CVE-2024-7261 (CVSS 9.8): Zyxel Patches Critical Vulnerability in Wi-Fi Devices
Zyxel, a prominent networking equipment manufacturer, has issued a security advisory urging users to promptly update their firmware to address a critical vulnerability affecting a range of their acces ... Read more
-
Dark Reading
Taiwan University Under Fire From Unique DLL Backdoor
Source: James Stone via Alamy Stock PhotoA never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan, using a unique communications technique.After Symantec researchers caught the ma ... Read more
-
Kaspersky
Exploits and vulnerabilities in Q2 2024
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a gener ... Read more
-
BleepingComputer
Hackers use PHP exploit to backdoor Windows systems with new malware
Unknown attackers have deployed a newly discovered backdoor dubbed Msupedge on a university's Windows systems in Taiwan, likely by exploiting a recently patched PHP remote code execution vulnerability ... Read more
-
The Hacker News
Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor
Vulnerability / Threat Intelligence A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of ... Read more
-
Cybersecurity News
Unseen Msupedge Malware Exploits PHP Flaw CVE-2024-4577 in Taiwanese University Cyberattack
A new and sophisticated backdoor, dubbed Backdoor.Msupedge, has been identified in a recent cyberattack targeting a university in Taiwan. Symantec’s security researchers have uncovered this previously ... Read more
-
Cybersecurity News
CVE-2024-38200: Zero-Day Vulnerability in Microsoft Office: A Call for Urgent Action
In a recent advisory published on August 8th, Microsoft disclosed a high-severity zero-day vulnerability affecting multiple versions of its Office software suite. The vulnerability tracked as CVE-2024 ... Read more
-
Cybersecurity News
MongoDB Patches High-Severity Windows Vulnerability (CVE-2024-7553) in Multiple Products
MongoDB, the popular NoSQL database provider, announced the patching of a high-severity vulnerability affecting multiple versions of its server and driver products. The flaw, tracked as CVE-2024-7553 ... Read more
-
malware-traffic-analysis.net
2024-06-11 - Traffic example of a CVE-2024-4577 probe
NOTES: I saw a single hit from 221.122.67[.]75 for a CVE-2024-4577 probe on an Ubuntu Apache web server I am running. I sanitized the pcap of this example, changing the associated MAC addresses and al ... Read more
The following table lists the changes that have been made to the
CVE-2024-4577 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Aug. 14, 2024
Action Type Old Value New Value Changed Reference Type https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ Exploit, Third Party Advisory https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ Exploit, Press/Media Coverage, Third Party Advisory Changed Reference Type https://github.com/rapid7/metasploit-framework/pull/19247 Exploit https://github.com/rapid7/metasploit-framework/pull/19247 Exploit, Issue Tracking Changed Reference Type https://security.netapp.com/advisory/ntap-20240621-0008/ No Types Assigned https://security.netapp.com/advisory/ntap-20240621-0008/ Third Party Advisory -
CVE Modified by [email protected]
Jun. 21, 2024
Action Type Old Value New Value Added Reference PHP Group https://security.netapp.com/advisory/ntap-20240621-0008/ [No types assigned] -
Modified Analysis by [email protected]
Jun. 21, 2024
Action Type Old Value New Value Changed Reference Type http://www.openwall.com/lists/oss-security/2024/06/07/1 No Types Assigned http://www.openwall.com/lists/oss-security/2024/06/07/1 Mailing List, Release Notes Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ Mailing List, Third Party Advisory Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ Mailing List, Third Party Advisory Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jun. 13, 2024
Action Type Old Value New Value Added Reference PHP Group https://lists.fedoraproject.org/archives/list/[email protected]/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/ [No types assigned] -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jun. 13, 2024
Action Type Old Value New Value Added Date Added 2024-06-12 Added Vulnerability Name PHP-CGI OS Command Injection Vulnerability Added Due Date 2024-07-03 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. -
CVE Modified by [email protected]
Jun. 12, 2024
Action Type Old Value New Value Added Reference PHP Group https://lists.fedoraproject.org/archives/list/[email protected]/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/ [No types assigned] -
CVE Modified by [email protected]
Jun. 10, 2024
Action Type Old Value New Value Added Reference PHP Group http://www.openwall.com/lists/oss-security/2024/06/07/1 [No types assigned] -
CVE Modified by [email protected]
Jun. 10, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Jun. 10, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ No Types Assigned https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ Exploit, Third Party Advisory Changed Reference Type https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html No Types Assigned https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html Third Party Advisory Changed Reference Type https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately No Types Assigned https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately Third Party Advisory Changed Reference Type https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ No Types Assigned https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ Exploit, Third Party Advisory Changed Reference Type https://github.com/11whoami99/CVE-2024-4577 No Types Assigned https://github.com/11whoami99/CVE-2024-4577 Exploit Changed Reference Type https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv No Types Assigned https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv Broken Link Changed Reference Type https://github.com/rapid7/metasploit-framework/pull/19247 No Types Assigned https://github.com/rapid7/metasploit-framework/pull/19247 Exploit Changed Reference Type https://github.com/watchtowrlabs/CVE-2024-4577 No Types Assigned https://github.com/watchtowrlabs/CVE-2024-4577 Exploit, Third Party Advisory Changed Reference Type https://github.com/xcanwin/CVE-2024-4577-PHP-RCE No Types Assigned https://github.com/xcanwin/CVE-2024-4577-PHP-RCE Exploit, Third Party Advisory Changed Reference Type https://isc.sans.edu/diary/30994 No Types Assigned https://isc.sans.edu/diary/30994 Exploit, Third Party Advisory Changed Reference Type https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ No Types Assigned https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ Exploit, Third Party Advisory Changed Reference Type https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/ No Types Assigned https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/ Third Party Advisory Changed Reference Type https://www.php.net/ChangeLog-8.php#8.1.29 No Types Assigned https://www.php.net/ChangeLog-8.php#8.1.29 Release Notes Changed Reference Type https://www.php.net/ChangeLog-8.php#8.2.20 No Types Assigned https://www.php.net/ChangeLog-8.php#8.2.20 Release Notes Changed Reference Type https://www.php.net/ChangeLog-8.php#8.3.8 No Types Assigned https://www.php.net/ChangeLog-8.php#8.3.8 Release Notes Added CWE NIST CWE-78 Added CPE Configuration OR *cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from (including) 5.0.0 up to (excluding) 8.1.29 *cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from (including) 8.2.0 up to (excluding) 8.2.20 *cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions from (including) 8.3.0 up to (excluding) 8.3.8 -
CVE Modified by [email protected]
Jun. 10, 2024
Action Type Old Value New Value Added Reference PHP Group https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately [No types assigned] Added Reference PHP Group https://isc.sans.edu/diary/30994 [No types assigned] -
CVE Modified by [email protected]
Jun. 10, 2024
Action Type Old Value New Value Added Reference PHP Group https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html [No types assigned] Added Reference PHP Group https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ [No types assigned] Added Reference PHP Group https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ [No types assigned] Added Reference PHP Group https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/ [No types assigned] Added Reference PHP Group https://github.com/11whoami99/CVE-2024-4577 [No types assigned] Added Reference PHP Group https://github.com/xcanwin/CVE-2024-4577-PHP-RCE [No types assigned] Added Reference PHP Group https://github.com/rapid7/metasploit-framework/pull/19247 [No types assigned] Added Reference PHP Group https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ [No types assigned] Added Reference PHP Group https://github.com/watchtowrlabs/CVE-2024-4577 [No types assigned] Added Reference PHP Group https://www.php.net/ChangeLog-8.php#8.1.29 [No types assigned] Added Reference PHP Group https://www.php.net/ChangeLog-8.php#8.2.20 [No types assigned] Added Reference PHP Group https://www.php.net/ChangeLog-8.php#8.3.8 [No types assigned] -
CVE Received by [email protected]
Jun. 09, 2024
Action Type Old Value New Value Added Description In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. Added Reference PHP Group https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv [No types assigned] Added CWE PHP Group CWE-78 Added CVSS V3.1 PHP Group AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-4577 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-4577
weaknesses.