// For flags

CVE-2024-4577

PHP-CGI OS Command Injection Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

49
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

Act
*SSVC
Descriptions

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

En las versiones de PHP 8.1.* anteriores a 8.1.29, 8.2.* anteriores a 8.2.20, 8.3.* anteriores a 8.3.8, cuando se usa Apache y PHP-CGI en Windows, si el sistema está configurado para usar ciertas páginas de códigos, Windows puede utilizar el comportamiento "Mejor ajuste" para reemplazar caracteres en la línea de comando proporcionada a las funciones de la API de Win32. El módulo PHP CGI puede malinterpretar esos caracteres como opciones de PHP, lo que puede permitir a un usuario malintencionado pasar opciones al binario PHP que se está ejecutando y, por lo tanto, revelar el código fuente de los scripts, ejecutar código PHP arbitrario en el servidor, etc.

PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.

PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.

*Credits: Orange Tsai, DEVCORE Research Team
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Act
Exploitation
Active
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-05-06 CVE Reserved
  • 2024-06-06 First Exploit
  • 2024-06-09 CVE Published
  • 2024-06-12 Exploited in Wild
  • 2024-07-03 KEV Due Date
  • 2024-08-15 EPSS Updated
  • 2024-08-19 CVE Updated
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (60)
URL Tag Source
http://www.openwall.com/lists/oss-security/2024/06/07/1 Mailing List
https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html Third Party Advisory
https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately Third Party Advisory
https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv Broken Link
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK Mailing List
https://security.netapp.com/advisory/ntap-20240621-0008
https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577 Third Party Advisory
https://www.php.net/ChangeLog-8.php#8.1.29 Release Notes
https://www.php.net/ChangeLog-8.php#8.2.20 Release Notes
https://www.php.net/ChangeLog-8.php#8.3.8 Release Notes
URL Date SRC
https://github.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT 2024-06-10
https://github.com/manuelinfosec/CVE-2024-4577 2024-06-08
https://github.com/zomasec/CVE-2024-4577 2024-06-09
https://github.com/cybersagor/CVE-2024-4577 2024-07-05
https://github.com/l0n3m4n/CVE-2024-4577-RCE 2024-07-07
https://github.com/bughuntar/CVE-2024-4577 2024-08-17
https://github.com/watchtowrlabs/CVE-2024-4577 2024-08-19
https://github.com/xcanwin/CVE-2024-4577-PHP-RCE 2024-08-19
https://github.com/TAM-K592/CVE-2024-4577 2024-06-11
https://github.com/Chocapikk/CVE-2024-4577 2024-06-09
https://github.com/11whoami99/CVE-2024-4577 2024-08-19
https://github.com/huseyinstif/CVE-2024-4577-Nuclei-Template 2024-06-24
https://github.com/ZephrFish/CVE-2024-4577-PHP-RCE 2024-06-19
https://github.com/Junp0/CVE-2024-4577 2024-06-07
https://github.com/fa-rrel/CVE-2024-4577-RCE 2024-08-20
https://github.com/gotr00t0day/CVE-2024-4577 2024-06-15
https://github.com/WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP 2024-06-07
https://github.com/aaddmin1122345/CVE-2024-4577-POC 2024-06-12
https://github.com/waived/CVE-2024-4577-PHP-RCE 2024-07-15
https://github.com/VictorShem/CVE-2024-4577 2024-07-31
https://github.com/0x20c/CVE-2024-4577-nuclei 2024-06-08
https://github.com/bibo318/CVE-2024-4577-RCE-ATTACK 2024-07-11
https://github.com/Sh0ckFR/CVE-2024-4577 2024-06-13
https://github.com/Wh02m1/CVE-2024-4577 2024-06-07
https://github.com/ohhhh693/CVE-2024-4577 2024-06-07
https://github.com/olebris/CVE-2024-4577 2024-06-28
https://github.com/charis3306/CVE-2024-4577 2024-07-03
https://github.com/Sysc4ll3r/CVE-2024-4577 2024-06-07
https://github.com/AlperenY-cs/CVE-2024-4577 2024-06-29
https://github.com/ggfzx/CVE-2024-4577 2024-06-26
https://github.com/taida957789/CVE-2024-4577 2024-06-07
https://github.com/Jcccccx/CVE-2024-4577 2024-07-31
https://github.com/bl4cksku11/CVE-2024-4577 2024-06-11
https://github.com/BitMEXResearch/CVE-2024-4577 2024-06-07
https://github.com/nemu1k5ma/CVE-2024-4577 2024-06-13
https://github.com/princew88/CVE-2024-4577 2024-06-07
https://github.com/amandineVdw/CVE-2024-4577 2024-06-09
https://github.com/dbyMelina/CVE-2024-4577 2024-06-09
https://github.com/PhinehasNarh/CVE-2024-4577-Defend 2024-06-24
https://github.com/ManuelKy08/CVE-2024-4577---RR 2024-08-08
https://github.com/d3ck4/Shodan-CVE-2024-4577 2024-06-12
https://github.com/XiangDongCJC/CVE-2024-4577-PHP-CGI-RCE 2024-06-12
https://github.com/jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE 2024-06-18
https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers 2024-08-19
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en 2024-08-19
https://github.com/rapid7/metasploit-framework/pull/19247 2024-08-19
https://isc.sans.edu/diary/30994 2024-08-19
https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577 2024-08-19
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb 2024-06-06
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Php
Search vendor "Php"
 Php
Search vendor "Php" for product "Php"
 >= 5.0.0 < 8.1.29
Search vendor "Php" for product "Php" and version " >= 5.0.0 < 8.1.29"
-
Affected
Php
Search vendor "Php"
 Php
Search vendor "Php" for product "Php"
 >= 8.2.0 < 8.2.20
Search vendor "Php" for product "Php" and version " >= 8.2.0 < 8.2.20"
-
Affected
Php
Search vendor "Php"
 Php
Search vendor "Php" for product "Php"
 >= 8.3.0 < 8.3.8
Search vendor "Php" for product "Php" and version " >= 8.3.0 < 8.3.8"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 39
Search vendor "Fedoraproject" for product "Fedora" and version "39"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 40
Search vendor "Fedoraproject" for product "Fedora" and version "40"
-
Affected