CVE-2024-4577
Argument Injection in PHP-CGI
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Argument Injection in PHP-CGI
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Reserved 2024-05-06 | Published 2024-06-09 | Updated 2025-02-13 | Assigner phpDate added 2024-06-12 | Due date 2024-07-03
Known Ransomware Campaign(s)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Orange Tsai, DEVCORE Research Team
github.com/...hp-src/security/advisories/GHSA-3qgc-jrrr-25jv
blog.orange.tw/.../06/cve-2024-4577-yet-another-php-rce.html
devco.re/...577-php-cgi-argument-injection-vulnerability-en/
arstechnica.com/...to-run-malicious-code-on-windows-servers/
www.imperva.com/...critical-php-vulnerability-cve-2024-4577/
github.com/11whoami99/CVE-2024-4577
github.com/xcanwin/CVE-2024-4577-PHP-RCE
github.com/rapid7/metasploit-framework/pull/19247
labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
github.com/watchtowrlabs/CVE-2024-4577
cert.be/...rning-php-remote-code-execution-patch-immediately
www.openwall.com/lists/oss-security/2024/06/07/1
lists.fedoraproject.org/...PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
lists.fedoraproject.org/...W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
security.netapp.com/advisory/ntap-20240621-0008/
Support options
