{"id":165586,"date":"2024-07-11T14:31:19","date_gmt":"2024-07-11T14:31:19","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165586"},"modified":"2024-07-11T14:31:21","modified_gmt":"2024-07-11T14:31:21","slug":"php-flaw-cve-2024-4577-actively-exploited","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165586\/hacking\/php-flaw-cve-2024-4577-actively-exploited.html","title":{"rendered":"Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware"},"content":{"rendered":"
<\/div>\n

Multiple threat actors exploit a recently disclosed security PHP flaw CVE-2024-4577 to deliver multiple malware families.<\/gwmw><\/h2>\n\n\n\n

The Akamai Security Intelligence Response Team (SIRT) warns that multiple threat actors are exploiting the PHP vulnerability C<\/a>VE-2024-4577<\/a> to deliver multiple malware families, including Gh0st RAT<\/a>, RedTail cryptominers, and XMRig.<\/p>\n\n\n\n

“Threat actors continued the speedy-time-from-disclosure-to-exploitation trend and were quick to leverage this new vulnerability \u2014 we observed exploit attempts targeting this PHP flaw on our honeypot network within 24 hours of its disclosure.” reported <\/a>Akamai.<\/em><\/gwmw><\/p>\n\n\n\n

The flaw CVE-2024-4577<\/a> (CVSS score: 9.8)\u00a0is a PHP-CGI OS Command Injection Vulnerability. The issue resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.<\/p>\n\n\n\n

Since the disclosure of the vulnerability and public availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.<\/p>\n\n\n\n

In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a>\u00a0the the vulnerability to its\u00a0Known Exploited Vulnerabilities (KEV) catalog<\/a>.<\/gwmw><\/p>\n\n\n\n

Greynoise researchers also reported<\/a> malicious attempts of exploitation of the CVE-2024-4577.<\/p>\n\n\n\n

\u201cAs of this writing, it has been verified that when the Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server:<\/em><\/p>\n\n\n\n