CVE-2024-4577
📋 TL;DR
This is a critical PHP CGI argument injection vulnerability affecting Windows servers running Apache with PHP-CGI. It allows attackers to bypass protections and execute arbitrary PHP code on vulnerable systems, potentially leading to complete server compromise. Only Windows systems using Apache with PHP-CGI and certain code page configurations are affected.
💻 Affected Systems
- PHP
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete server takeover, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to read sensitive files, execute commands, and potentially compromise the entire web application.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist and active exploitation has been observed in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.29, 8.2.20, 8.3.8
Vendor Advisory: https://www.php.net/archive/2024.php#2024-06-06-1
Restart Required: Yes
Instructions:
1. Identify affected PHP versions. 2. Download and install patched versions from php.net. 3. Restart Apache service. 4. Verify PHP version with php -v.
🔧 Temporary Workarounds
Disable PHP-CGI on Apache
windowsSwitch from PHP-CGI to PHP-FPM or other SAPI modules that are not vulnerable.
# Configure Apache to use PHP-FPM instead of CGI
# Comment out AddHandler cgi-script .php in httpd.conf
# Configure PHP-FPM and proxy_fcgi module
Use WAF Rules
allImplement web application firewall rules to block malicious CGI arguments.
# Example ModSecurity rule: SecRule ARGS "@rx -[drs]" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Switch from PHP-CGI to PHP-FPM or another SAPI immediately
- Implement strict network segmentation and limit access to affected servers
🔍 How to Verify
Check if Vulnerable:
Check if running Windows, Apache with PHP-CGI, and affected PHP versions. Verify code page settings.Check Version:
php -vVerify Fix Applied:
Confirm PHP version is 8.1.29, 8.2.20, or 8.3.8 or higher using php -v command.📡 Detection & Monitoring
Log Indicators:
- Unusual CGI arguments in Apache logs
- Requests with special characters in URLs
- Multiple failed attempts followed by successful exploitation
Network Indicators:
- HTTP requests containing -d, -s, or -r parameters in URLs
- Unusual outbound connections from web servers
SIEM Query:
source="apache_access" AND (uri="*%2Dd*" OR uri="*%2Ds*" OR uri="*%2Dr*")🔗 References
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/
- https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
- https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately
- https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- https://github.com/11whoami99/CVE-2024-4577
- https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv
- https://github.com/rapid7/metasploit-framework/pull/19247
- https://github.com/watchtowrlabs/CVE-2024-4577
- https://github.com/xcanwin/CVE-2024-4577-PHP-RCE
- https://isc.sans.edu/diary/30994
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
- https://security.netapp.com/advisory/ntap-20240621-0008/
- https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/
- https://www.php.net/ChangeLog-8.php#8.1.29
- https://www.php.net/ChangeLog-8.php#8.2.20
- https://www.php.net/ChangeLog-8.php#8.3.8
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/
- https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
- https://blog.talosintelligence.com/new-persistent-attacks-japan/
- https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately
- https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- https://github.com/11whoami99/CVE-2024-4577
- https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv
- https://github.com/rapid7/metasploit-framework/pull/19247
- https://github.com/watchtowrlabs/CVE-2024-4577
- https://github.com/xcanwin/CVE-2024-4577-PHP-RCE
- https://isc.sans.edu/diary/30994
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
- https://security.netapp.com/advisory/ntap-20240621-0008/
- https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/
- https://www.php.net/ChangeLog-8.php#8.1.29
- https://www.php.net/ChangeLog-8.php#8.2.20
- https://www.php.net/ChangeLog-8.php#8.3.8
- https://www.vicarius.io/vsociety/posts/php-cgi-argument-injection-to-rce-cve-2024-4577
- https://www.vicarius.io/vsociety/posts/php-cgi-os-command-injection-vulnerability-cve-2024-4577
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4577
