Login Sign Up

CVE-2024-1874

9.4 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote command execution on Windows systems running vulnerable PHP versions. When using proc_open() with array syntax, insufficient argument escaping enables attackers to execute arbitrary shell commands. Affects PHP applications where user-controlled input is passed to proc_open() on Windows.

💻 Affected Systems

Products:
  • PHP
Versions: PHP 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems. Linux/macOS systems are not vulnerable. Requires proc_open() with array syntax and user-controlled arguments.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Php by Php

View all CVEs affecting Php →

Php by Php

View all CVEs affecting Php →

Php by Php

View all CVEs affecting Php →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the Windows server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web application compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper input validation and escaping are implemented, though underlying vulnerability remains.

🌐 Internet-Facing: HIGH - Web applications accepting user input that reaches proc_open() are directly exploitable from the internet.
🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in security advisories. Exploitation is straightforward when user input reaches vulnerable code path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PHP 8.1.28, 8.2.18, 8.3.5

Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7

Restart Required: Yes

Instructions:

1. Backup your PHP configuration and application. 2. Download and install patched PHP version from php.net. 3. Replace existing PHP installation. 4. Restart web server (Apache/Nginx) and PHP-FPM if used. 5. Test application functionality.

🔧 Temporary Workarounds

Input validation and escaping

all

Implement strict input validation and escape shell arguments before passing to proc_open()

escapeshellarg($user_input) for each argument
filter_var($input, FILTER_VALIDATE_STRING) for validation

Disable proc_open() if unused

all

Remove proc_open() from PHP disable_functions directive if not required

disable_functions = proc_open in php.ini

🧯 If You Can't Patch

  • Implement strict input validation and escaping for all user inputs passed to proc_open()
  • Use alternative functions like exec() with proper escaping instead of proc_open() with array syntax

🔍 How to Verify

Check if Vulnerable:

Check PHP version with php -v and verify if it's in affected range on Windows. Review code for proc_open() usage with array syntax and user input.

Check Version:

php -v | grep "PHP"

Verify Fix Applied:

Confirm PHP version is 8.1.28+, 8.2.18+, or 8.3.5+ using php -v command.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from PHP context
  • Suspicious command-line arguments in Windows event logs
  • Multiple failed proc_open() attempts

Network Indicators:

  • Outbound connections from web server to unexpected destinations
  • Command and control traffic patterns

SIEM Query:

source="windows-security" EventID=4688 AND ProcessName="php*" AND CommandLine CONTAINS "cmd.exe" OR CommandLine CONTAINS "powershell"

📊 Metadata

CVE ID: CVE-2024-1874
CVSS v3 Score: 9.4 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-116
Published: April 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1874, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)