⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2024-07-03.

CVE-2024-4577OS Command Injection in Group PHP

CWE-78OS Command Injection27 documents19 sources
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.03%
CISA KEV
KEVRansomware
Added 2024-06-12
Due 2024-07-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
PHP Group PHPPHPFedoraproject Fedora
Timeline
PublishedJun 9
KEV addedJun 12
KEV dueJul 3
Latest updateJun 15
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDphp/php8.1.08.1.29+2
CVEListV5php_group/php8.1.*8.1.29+5

Also affects: Fedora 39, 40

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-vxpp-6299-mxw3: In PHP versions 82024-06-09
CVEList
Argument Injection in PHP-CGI2024-06-09
VulnCheck
PHP-CGI OS Command Injection Vulnerability2024

💥Exploits & PoCs

2
Exploit-DB
PHP CGI Module 8.3.4 - Remote Code Execution (RCE)2025-06-15
Nuclei
PHP CGI - Argument Injection

🔍Detection Rules

3
Suricata
ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyphen) (CVE-2024-4577)2025-03-12
Suricata
ET WEB_SERVER Generic PHP Remote File Include2014-12-17
Suricata
ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt2011-06-10

📋Vendor Advisories

6
Oracle
Oracle Oracle Communications Risk Matrix: Web UI (PHP) — CVE-2024-45772024-10-15
Red Hat
php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)2024-10-07
CISA
PHP-CGI OS Command Injection Vulnerability2024-06-12
Microsoft
Argument Injection in PHP-CGI2024-06-11
Red Hat
php: Argument Injection in PHP-CGI2024-06-07

🕵️Threat Intelligence

10
Bleepingcomputer
Critical PHP RCE vulnerability mass exploited in new attacks2025-03-11
Greynoiseio
GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign2025-03-07
Talos
Unmasking the new persistent attacks on Japan2025-03-06
Talos
Unmasking the new persistent attacks on Japan2025-03-06
Securelist
Exploits and vulnerabilities in Q2 20242024-08-21
CVE-2024-4577 — OS Command Injection in PHP Group PHP | cvebase