CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-4577

CVSS 9.8v3.1pub. 2024-06-09upd. 2025-11-03

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

🤖 AI Analysis
How it works

The problem stems from the 'Best-Fit' mechanism used by Windows when converting characters in selected code pages. When the operating system converts characters in arguments passed to Win32 API functions, the PHP-CGI module may incorrectly interpret these characters as PHP command-line options. An attacker can thus smuggle arbitrary options into the executed PHP binary without any authentication or user interaction.

Impact

An attacker can disclose PHP script source code or execute arbitrary PHP code on the server, which in practice means full takeover of the application and potentially the entire system.

Mitigation & patch

PHP must be immediately updated to version 8.1.29, 8.2.20, or 8.3.8 (depending on the branch in use). If immediate update is not possible, consider disabling PHP-CGI mode or replacing it with PHP-FPM, and restrict access to the CGI endpoint at the firewall or Apache configuration level.

Who is affected

PHP versions 8.1.x before 8.1.29, 8.2.x before 8.2.20, and 8.3.x before 8.3.8 – only in Apache + PHP-CGI configuration on Windows with specific code pages.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    3940
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
  • PHP

    APP
    Php
    8.1.0 – 8.1.29 (bez)8.2.0 – 8.2.20 (bez)8.3.0 – 8.3.8 (bez)

CISA KEV — detailsi

Vendori
PHP Group
Producti
PHP
Added to KEVi
June 12, 2024
Remediation deadline (US Federal)i
July 3, 2024(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 3 lipca 2024
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML