CVE-2024-4577
Argument Injection in PHP-CGI
In short
PHP-CGI on Windows can be tricked into accepting malicious command-line options through character encoding tricks, allowing attackers to expose source code or run arbitrary code on the server.
Technical detail
An argument injection vulnerability in PHP-CGI on Windows occurs when Apache passes user input through the CGI interface; if Windows code page settings enable 'Best-Fit' character mapping, specially crafted input can be reinterpreted as PHP options (e.g., -r, -d), bypassing normal request handling. Requires specific Windows code page configuration and vulnerable PHP versions; impact includes arbitrary code execution and information disclosure.
Summary generated and translated by AI from the official description.
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
PHP Group · PHPpublic PoCs found — 70
githubgithub.com/watchtowrlabs/CVE-2024-4577★ 318githubgithub.com/xcanwin/CVE-2024-4577-PHP-RCE★ 163githubgithub.com/TAM-K592/CVE-2024-4577★ 77githubgithub.com/Night-have-dreams/php-cgi-Injector★ 45githubgithub.com/11whoami99/CVE-2024-4577★ 43githubgithub.com/Chocapikk/CVE-2024-4577★ 34githubgithub.com/ZephrFish/CVE-2024-4577-PHP-RCE★ 32githubgithub.com/gh-ost00/CVE-2024-4577-RCE★ 25githubgithub.com/BTtea/CVE-2024-4577-RCE-PoC★ 25githubgithub.com/huseyinstif/CVE-2024-4577-Nuclei-Template★ 22githubgithub.com/gotr00t0day/CVE-2024-4577★ 13githubgithub.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT★ 10githubgithub.com/manuelinfosec/CVE-2024-4577★ 9githubgithub.com/l0n3m4n/CVE-2024-4577-RCE★ 7githubgithub.com/aavamin/cve-2024-4577★ 6githubgithub.com/bibo318/CVE-2024-4577-RCE-ATTACK★ 5githubgithub.com/CirqueiraDev/MassExploit-CVE-2024-4577★ 5githubgithub.com/longhoangth18/CVE-2024-4577★ 5githubgithub.com/0x20c/CVE-2024-4577-nuclei★ 5githubgithub.com/Sh0ckFR/CVE-2024-4577★ 4githubgithub.com/JeninSutradhar/CVE-2024-4577-checker★ 3githubgithub.com/ibrahmsql/CVE-2024-4577★ 3githubgithub.com/zomasec/CVE-2024-4577★ 3githubgithub.com/d3ck4/Shodan-CVE-2024-4577★ 2githubgithub.com/AlperenY-cs/CVE-2024-4577★ 2githubgithub.com/VictorShem/CVE-2024-4577★ 2githubgithub.com/byteReaper77/CVE-2024-4577★ 2githubgithub.com/phirojshah/CVE-2024-4577★ 2githubgithub.com/gl1tch0x1/PHP_8.1.x_Exploit★ 1githubgithub.com/ggfzx/CVE-2024-4577★ 1githubgithub.com/Junp0/CVE-2024-4577★ 1githubgithub.com/sug4r-wr41th/CVE-2024-4577★ 1githubgithub.com/Sysc4ll3r/CVE-2024-4577★ 1githubgithub.com/0XFFFF-XD/CVE-2024-4577-PHP-CGI-RCE★ 1githubgithub.com/taida957789/CVE-2024-4577★ 1githubgithub.com/Wh02m1/CVE-2024-4577★ 1githubgithub.com/ywChen-NTUST/PHP-CGI-RCE-Scanner★ 1githubgithub.com/PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough★ 1githubgithub.com/r0otk3r/CVE-2024-4577★ 0githubgithub.com/mananjain61/PHP-CGI-INTERNAL-RCE★ 0githubgithub.com/Skycritch/CVE-2024-4577★ 0githubgithub.com/Ianthinus/CVE-2024-4577★ 0githubgithub.com/InfoSec-DB/PHPCGIScanner★ 0githubgithub.com/a1ex-var1amov/ctf-cve-2024-4577★ 0githubgithub.com/rayngnpc/CVE-2024-4577-rayng★ 0githubgithub.com/Gill-Singh-A/CVE-2024-4577-Exploit★ 0githubgithub.com/graphite-org/CVE-2024-4577★ 0githubgithub.com/WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP★ 0githubgithub.com/dbyMelina/CVE-2024-4577★ 0githubgithub.com/bl4cksku11/CVE-2024-4577★ 0githubgithub.com/Entropt/CVE-2024-4577_Analysis★ 0githubgithub.com/jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE★ 0githubgithub.com/olebris/CVE-2024-4577★ 0githubgithub.com/charis3306/CVE-2024-4577★ 0githubgithub.com/zjhzjhhh/CVE-2024-4577★ 0githubgithub.com/gmh5225/CVE-2024-4577-PHP-RCE★ 0githubgithub.com/a-roshbaik/CVE-2024-4577★ 0githubgithub.com/a-roshbaik/CVE-2024-4577-PHP-RCE★ 0githubgithub.com/Jcccccx/CVE-2024-4577★ 0githubgithub.com/bughuntar/CVE-2024-4577★ 0githubgithub.com/princew88/CVE-2024-4577★ 0githubgithub.com/AhmedMansour93/Event-ID-268-Rule-Name-SOC292-Possible-PHP-Injection-Detected-CVE-2024-4577-★ 0githubgithub.com/ahmetramazank/CVE-2024-4577★ 0githubgithub.com/tpdlshdmlrkfmcla/php-cgi-cve-2024-4577★ 0githubgithub.com/Didarul342/CVE-2024-4577★ 0githubgithub.com/Ra1n-60W/CVE-2024-4577★ 0githubgithub.com/wilss0n/CVE-2024-4577★ 0githubgithub.com/tntrock/CVE-2024-4577_PowerShell★ 0githubgithub.com/KimJuhyeong95/cve-2024-4577★ 0exploitdbwww.exploit-db.com/exploits/52331unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.htmlhttps://blog.talosintelligence.com/new-persistent-attacks-japan/https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediatelyhttps://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/https://github.com/11whoami99/CVE-2024-4577https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jvhttps://github.com/rapid7/metasploit-framework/pull/19247https://github.com/watchtowrlabs/CVE-2024-4577https://github.com/xcanwin/CVE-2024-4577-PHP-RCEhttps://isc.sans.edu/diary/30994https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/