CVE-2024-4577
Published: 09 June 2024
Summary
CVE-2024-4577 is a critical-severity OS Command Injection (CWE-78) vulnerability in Php Php. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-4577 is a command injection vulnerability in PHP versions 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8 when the PHP-CGI module runs under Apache on Windows. The flaw stems from Windows "Best-Fit" character conversion behavior for certain code pages, which alters characters passed to Win32 API functions; the CGI module then misinterprets the resulting strings as PHP command-line options.
An unauthenticated remote attacker can supply crafted input that is transformed into PHP directives, enabling source-code disclosure, arbitrary PHP code execution, or other actions controlled by the PHP binary. The vulnerability carries a CVSS 3.1 score of 9.8 and is categorized under CWE-78.
Public advisories from the referenced sources urge immediate upgrade to the patched PHP releases and note that the issue is exploitable over the network without authentication or user interaction.
The associated EPSS score has reached a peak of 0.9675 with a current value of 0.9437, indicating sustained and substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44188
- 🇧🇪 CERT.be: cert.be
Vulnerability details
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command…
more
line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
- CWE(s)
- KEV Date Added
- 12 June 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-4577 enables argument injection in PHP-CGI on Windows via public-facing web applications (T1190), allowing source code disclosure from local files (T1005) and arbitrary PHP code execution (T1059).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the patched PHP 8.1.29/8.2.20/8.3.8 releases that eliminate the CGI command-line misinterpretation flaw.
Mandates validation and sanitization of all CGI and command-line inputs so that crafted character sequences cannot be interpreted as PHP options.
Requires secure configuration of PHP-CGI on Windows (e.g., disabling vulnerable code pages or switching to non-CGI handlers) to block exploitation of the Best-Fit encoding path.