Serious security flaw in PHP on Windows server in CGI mode

In the world of cybersecurity, Taiwanese company DEVCORE has identified a significant vulnerability in PHP installations on Windows in CGI mode. The vulnerability, identified with code CVE-2024-4577, does not yet have a specific CVSS score but allows attackers to manipulate command line arguments, leading to the possibility of remote code execution (RCE). According to DEVCORE, the problem has its roots in the old vulnerability CVE-2012-1823, since the new bug allows you to bypass the security measures introduced against the latter by using particular character sequences.

Affected PHP versions and risk to websites

The CVE-2024-4577 security flaw affects numerous versions of PHP on Windows servers, specifically: PHP 8.3 through 8.3.8, PHP 8.2 through 8.2.20, and PHP 8.1 through 8.1.29. The widespread diffusion of PHP within the web ecosystem, together with the simplicity of exploiting this flaw, have led experts to classify the vulnerability as critical. Immediately reported to the official PHP team, the vulnerability was made public only after the release of the corrected PHP versions, available for download from the official website. Experts estimate that the vulnerability could affect millions of websites and services hosted on Windows servers running PHP in CGI mode.

Impact on Windows servers in different locations

At the time of disclosure, it has been confirmed that an unauthorized malicious actor can execute arbitrary code on a remote server in specific interface locales, specifically: Traditional Chinese, Simplified Chinese, and Japanese. For other Windows instances in other localizations, given the wide range of uses of PHP, researchers cannot yet rule out other possible ways of exploitation. System administrators are therefore strongly encouraged to conduct their own security assessments, review their use cases, and update PHP to the latest available version to maintain the security of their systems.

Immediate action and safety recommendations

WatchTowr Labs researchers have already created and made public an exploit for this vulnerability, calling it easily replicable. Therefore, immediately updating PHP to the correct version is crucial to avoid potential attacks. To mitigate further risks, IT managers are also advised to regularly review server configurations, perform security audits, and train staff in the secure use and management of systems. Despite the criticality of the situation, taking these measures quickly can significantly reduce the risk of compromise.