Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

June 10, 2024: PHP-CGI Argument Injection Vulnerability Could Lead to Remote Code Execution

  • Issue Name and Description: PHP-CGI Argument Injection Vulnerability. This is a critical argument injection vulnerability in PHP that can be exploited to achieve remote code execution (RCE) on affected systems.
  • Date Published: June 6th, 2024
  • CVE-ID and CVSS Score: CVE-2024-4577, CVSS Score: 9.8 (Critical)
  • CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command
  • Asset Description: The vulnerability affects PHP installations running on Windows operating systems with PHP running in CGI mode or exposing the PHP binary in the following versions:
    • PHP 8.3 < 8.3.8
    • PHP 8.2 < 8.2.20
    • PHP 8.1 < 8.1.29
  • Vulnerability Impact: A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise.
  • Exploitation Details: The vulnerability is a result of errors in character encoding conversions, specifically affecting the “Best Fit” feature on Windows. It allows an attacker to bypass previous protections like CVE-2012-1823 through specific character sequences, enabling argument injection attacks. This issue is currently not in CISA KEV, although ShadowServer has observed exploitation attempts on its sensors (https://infosec.exchange/@shadowserver/112575314920464732).
  • Patch Availability: Patched versions 8.3.8, 8.2.20, and 8.1.29 were released by PHP on June 6, 2024 to address this vulnerability: https://www.php.net/ . Upgrading to these versions is the recommended solution. For systems that cannot be immediately upgraded, temporary mitigation measures like modifying Apache rewrite rules or disabling the PHP-CGI feature are provided.
  • Global Footprint: Censys observes about 458,800 exposures of potentially vulnerable PHP instances as of June 9, 2024 — although note that this is likely an overestimate of the true impact of this vulnerability, given that we cannot detect when CGI mode is enabled. Most of these exposures are geolocated in the United States, followed by Germany.
Map of Censys-Visible Potentially Vulnerable PHP Instances on June 9, 2024.

Map of Censys-Visible Potentially Vulnerable PHP Instances on June 9, 2024 — Note that this does not account for whether or not CGI is enabled (created with kepler.gl)

 

Attack Surface Management Solutions
Learn more