{"id":164302,"date":"2024-06-09T13:27:03","date_gmt":"2024-06-09T13:27:03","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164302"},"modified":"2024-06-09T13:27:05","modified_gmt":"2024-06-09T13:27:05","slug":"php-critical-rce","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164302\/breaking-news\/php-critical-rce.html","title":{"rendered":"PHP addressed critical RCE flaw potentially impacting millions of servers"},"content":{"rendered":"
<\/div>\n

A new PHP for Windows remote code execution (RCE) flaw affects version 5.x and earlier versions, potentially impacting millions of servers worldwide.<\/h2>\n\n\n\n

Researchers at cybersecurity firm DEVCORE discovered<\/a>\u00a0a critical remote code execution (RCE)\u00a0vulnerability<\/a>, tracked as\u00a0CVE-2024-4577,\u00a0in the PHP programming language. An unauthenticated attacker can exploit the flaw to take full control of affected servers.<\/p>\n\n\n\n

PHP is a popular open-source scripting language widely used for web development.<\/p>\n\n\n\n

“While implementing PHP, the team did not notice the\u00a0Best-Fit<\/a>\u00a0feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of\u00a0CVE-2012-1823<\/a>\u00a0by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.” reads the advisory<\/strong><\/a> published by DEVCORE.<\/em><\/p>\n\n\n\n

The vulnerability CVE-2024-4577 was reported to the PHP development team by the Devcore researcher Orange Tsai on May 7, 2024. The developers released a version that address the issue on June 6, 2024.<\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

The flaw resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.<\/gwmw><\/gwmw><\/p>\n\n\n\n

Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.<\/p>\n\n\n\n

Shadowserver researchers observed multiple IPs testing PHP\/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against its honeypot sensors starting on June 7th. <\/p>\n\n\n\n

\n

Attention! We see multiple IPs testing PHP\/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows.

Patches released June 6th:
https:\/\/t.co\/jM5HgGUZJF<\/a>

Exploit PoC is public.<\/p>— The Shadowserver Foundation (@Shadowserver)
June 7, 2024<\/a><\/blockquote>