Cyber Resilience

CVE-2024-4577

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 09 June 2024

Published
09 June 2024
Modified
03 November 2025
KEV Added
12 June 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9437 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4577 is a critical-severity OS Command Injection (CWE-78) vulnerability in Php Php. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-4577 is a command injection vulnerability in PHP versions 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8 when the PHP-CGI module runs under Apache on Windows. The flaw stems from Windows "Best-Fit" character conversion behavior for certain code pages, which alters characters passed to Win32 API functions; the CGI module then misinterprets the resulting strings as PHP command-line options.

An unauthenticated remote attacker can supply crafted input that is transformed into PHP directives, enabling source-code disclosure, arbitrary PHP code execution, or other actions controlled by the PHP binary. The vulnerability carries a CVSS 3.1 score of 9.8 and is categorized under CWE-78.

Public advisories from the referenced sources urge immediate upgrade to the patched PHP releases and note that the issue is exploitable over the network without authentication or user interaction.

The associated EPSS score has reached a peak of 0.9675 with a current value of 0.9437, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command…

more

line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CWE(s)
KEV Date Added
12 June 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-4577 enables argument injection in PHP-CGI on Windows via public-facing web applications (T1190), allowing source code disclosure from local files (T1005) and arbitrary PHP code execution (T1059).

Affected Assets

php
php
8.1.0 — 8.1.29 · 8.2.0 — 8.2.20 · 8.3.0 — 8.3.8
fedoraproject
fedora
39, 40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the patched PHP 8.1.29/8.2.20/8.3.8 releases that eliminate the CGI command-line misinterpretation flaw.

prevent

Mandates validation and sanitization of all CGI and command-line inputs so that crafted character sequences cannot be interpreted as PHP options.

prevent

Requires secure configuration of PHP-CGI on Windows (e.g., disabling vulnerable code pages or switching to non-CGI handlers) to block exploitation of the Best-Fit encoding path.

References