The Akamai Security Intelligence Response Team (SIRT) warns that multiple threat actors are exploiting the PHP vulnerability C<\/a>VE-2024-4577<\/a> to deliver multiple malware families, including Gh0st RAT<\/a>, RedTail cryptominers, and XMRig.<\/p>\n\n\n\n
“Threat actors continued the speedy-time-from-disclosure-to-exploitation trend and were quick to leverage this new vulnerability \u2014 we observed exploit attempts targeting this PHP flaw on our honeypot network within 24 hours of its disclosure.” reported <\/a>Akamai.<\/em>
The flaw CVE-2024-4577<\/a> (CVSS score: 9.8)\u00a0is a PHP-CGI OS Command Injection Vulnerability. The issue resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.<\/p>\n\n\n\n
In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a>\u00a0the the vulnerability to its\u00a0Known Exploited Vulnerabilities (KEV) catalog<\/a>.
Greynoise researchers also reported<\/a> malicious attempts of exploitation of the CVE-2024-4577.<\/p>\n\n\n\n
For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.\u201d continues the advisory. \u201cTherefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.<\/em><\/p>\n\n\n\n
Akamai researchers also observed threat actors behind the DDoS botnet Muhstik<\/a> exploiting this vulnerability.<\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, PHP flaw CVE-2024-4577)<\/strong>