Connect with us

Hi, what are you looking for?



PHP Patches Critical Remote Code Execution Vulnerability

PHP has released patches for CVE-2024-4577, a critical vulnerability that could lead to arbitrary code execution on remote servers.

A critical vulnerability in PHP could allow remote attackers to execute arbitrary code on vulnerable servers, cybersecurity firm Devcore warns.

The issue, tracked as CVE-2024-4577, exists because, in certain configurations, it is possible to inject arguments remotely in PHP on Windows.

Specifically, the flaw can be exploited on Windows servers using Apache and PHP-CGI, when the system is set to use certain code pages.

According to Devcore, the flaw exists because the scripting language’s implementation did not consider the “the Best-Fit feature of encoding conversion within the Windows operating system”, which controls the conversion of Unicode characters to the closest matching ANSI characters.

This oversight, Devcore notes, allows attackers to bypass the patches for CVE-2012-1823, a decade-old issue that resulted in the php-cgi module receiving processed query string parameters as command line arguments.

Attackers could exploit the issue to provide specific character sequences that will be interpreted as arguments and achieve code execution on remote PHP servers.

“Windows may use ‘Best-Fit’ behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run,” a NIST advisory reads.

The vulnerability, Devcore warns, impacts all versions of PHP installed on Windows systems, including versions 8.0, 7, and 5, which are discontinued.

Advertisement. Scroll to continue reading.

The cybersecurity firm has verified that the bug allows attackers to directly execute arbitrary code on Windows systems, configured to use Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), and Japanese (Code Page 932).

“For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios,” Devcore notes.

The flaw was addressed with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8. Users are advised to update their PHP installations as soon as possible. Devcore shared recommended mitigations for users who cannot update.

Related: Chinese Hackers Exploit Old ThinkPHP Vulnerabilities in New Attacks

Related: SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester

Related: Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights