CVE-2024-4577

Name of the Vulnerable Software and Affected Versions PHP versions 8.1.0 through 8.1.28 PHP versions 8.2.0 through 8.2.19 PHP versions 8.3.0 through 8.3.7

Description PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8, when used with Apache and PHP-CGI on Windows systems configured to use certain code pages, are vulnerable to a remote code execution (RCE) flaw (CVE-2024-4577). This vulnerability arises because the PHP CGI module may misinterpret characters as PHP options, allowing attackers to execute arbitrary code. Exploitation of this vulnerability has been observed in active attacks, including the deployment of ransomware (TellYouThePass) and cryptominers (XMRig, JuicyPotato). Attackers are also using this vulnerability for initial access and credential theft, particularly targeting organizations in Japan. The vulnerability is due to the way Windows handles character conversions, specifically the "Best-Fit" behavior. Publicly available exploits exist, and the vulnerability is being actively exploited in the wild.

Recommendations Upgrade PHP to version 8.3.8 or later. Upgrade PHP to version 8.2.20 or later. Upgrade PHP to version 8.1.29 or later. If upgrading is not immediately possible, consider disabling PHP-CGI or implementing a mod rewrite rule to mitigate the vulnerability.