CVE-2024-4577 impacts PHP and exploited in wild

---

CVE-2024-4577 is a critical Remote Code Execution (RCE) vulnerability affecting PHP when running in CGI mode on Windows systems with Apache. This flaw arises from the improper handling of command-line arguments passed to the PHP-CGI binary, particularly when certain Windows code pages use “Best-Fit” behavior to replace characters.

Overview

• Vulnerability Type: Remote Code Execution (RCE) via Argument Injection.
• Affected Software: PHP versions:
  • 8.1.x (before 8.1.29),
  • 8.2.x (before 8.2.20),
  • 8.3.x (before 8.3.8).
• Configuration: This vulnerability specifically affects Windows systems running PHP in CGI mode with Apache. It exploits the “Best-Fit” behavior of certain Windows code pages, which can misinterpret characters in command-line arguments passed to the PHP-CGI binary.
• Severity: Critical (CVSS Score: 9.8).
• Impact:
  • Allows attackers to inject malicious arguments into the PHP binary.
  • Enables arbitrary code execution, potentially exposing sensitive data, executing malicious scripts, or compromising the server.

Exploitation Details

• Mechanism:
  • Attackers craft HTTP requests with malicious arguments that exploit the PHP-CGI module’s misinterpretation of command-line inputs.
  • This can lead to the execution of arbitrary PHP code or the exposure of sensitive script source code.
• Exploitation Evidence:
• Mass Exploitation: GreyNoise reported widespread exploitation attempts globally, with over 1,000 unique IPs targeting this vulnerability in January 2025.
• Targeted Campaigns: Cisco Talos identified a campaign targeting Japanese organizations in sectors like technology, telecommunications, and e-commerce. Attackers used this vulnerability to deploy Cobalt Strike beacons and perform post-exploitation activities.
• Post-Exploitation Activities:
  • Attackers used tools like JuicyPotato, RottenPotato, and SweetPotato for privilege escalation.
  • Persistence was established via Windows Registry modifications, scheduled tasks, and custom services.
  • Event logs were erased using wevtutil commands to maintain stealth.
  • Reconnaissance and lateral movement were conducted using tools like fscan and Seatbelt.

Mitigation Measures

Patch Management:

• Upgrade to PHP versions 8.1.29, 8.2.20, or 8.3.8 to address this vulnerability.

Configuration Changes:

• Avoid running PHP in CGI mode unless absolutely necessary.
• Use alternative configurations like PHP-FPM or mod_php for Apache.

Network Security:

• Restrict access to PHP-CGI endpoints to trusted IPs.
• Monitor for unusual HTTP requests targeting PHP-CGI endpoints.

Post-Exploitation Detection:

• Look for signs of privilege escalation tools and unauthorized registry modifications.
• Monitor for erased event logs or unusual PowerShell activity.

Conclusion

CVE-2024-4577 is a critical vulnerability with active exploitation in the wild. Organizations using affected PHP versions in CGI mode on Windows must act immediately to patch their systems and implement robust security measures to mitigate the risk of exploitation.