Researchers at DEVCORE found a serious vulnerability in PHP that could allow attackers to remotely execute malicious code on affected servers. Due to PHP’s widespread use and the simplicity of exploiting this flaw, DEVCORE classified it as critical and swiftly reported it to the PHP development team. A fix was released on June 6th, 2024. For more details about the disclosure timeline, please refer to the official resources.

CVE-2024-4577

  • A flaw in PHP’s handling of encoding on Windows systems wasn’t addressed during development.
  • This oversight allows attackers to bypass an earlier security fix (CVE-2012-1823) using specific characters.
  • This vulnerability lets attackers potentially take control of vulnerable PHP servers (remote code execution).
VersionsAffected Version
PHP 8.3< 8.3.8
PHP 8.2< 8.2.20
PHP 8.1< 8.1.29

Note: This vulnerability affects all versions of PHP installed on the Windows operating system. PHP versions 8.0, 7.x, and 5.x are no longer receiving official security updates because they’ve reached their end-of-life (EOL). This means they are vulnerable to known and unknown security exploits.

If you’re using one of these versions, visit the ○ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ to check your risk and may offer temporary workarounds.

CERT-PH recommends the following actions be taken: