Cybersecurity researchers have uncovered a new vulnerability in PHP that could allow attackers to execute malicious code remotely. Tracked as CVE-2024-4577, this CGI argument injection vulnerability affects all versions of PHP on Windows operating systems. It was inadvertently introduced while patching a previous flaw, CVE-2012-1823.
DEVCORE researchers explained that the vulnerability arose due to an oversight in the Best-Fit feature of encoding conversion within Windows: “While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system.
This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 using specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”
A patch is now available, and the earliest fixed versions include 8.3.8, 8.2.20, and 8.1.29. Users are strongly advised to apply the patch immediately, as there is evidence of threat actors actively scanning the internet for vulnerable endpoints.
The Shadowserver Foundation has reported seeing hackers probing for this vulnerability since June 7th: “Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today,” the non-profit stated on X.
A PHP for Windows remote code execution (RCE) vulnerability has been disclosed, impacting all releases since version 5.x and impacting a massive number of servers worldwide. PHP is a widely used open-source scripting language designed for web development.. https://t.co/XWhfpIxetN pic.twitter.com/xGPjliZsk3
— Riskigy (@riskigy) June 10, 2024
Additionally, DEVCORE warned that all XAMPP installations on Windows are vulnerable by default when set to use locales for Traditional Chinese, Simplified Chinese, or Japanese. Administrators should replace outdated PHP CGI with alternatives such as Mod-PHP, FastCGI, or PHP-FPM to mitigate the risk.
“This vulnerability is incredibly simple, but that’s also what makes it interesting,” DEVCORE researchers noted. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?”
Users should act swiftly to update their systems and safeguard against potential attacks.
We also covered the PHP critical RCE flaw earlier this week. Users should act swiftly to update their systems and safeguard against potential attacks.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.