A new critical security vulnerability, CVE-2024-4577, has been disclosed, which can be exploited under specific circumstances to achieve remote code execution.
This vulnerability affects all versions of PHP installed on Windows operating systems. Described as a CGI parameter injection vulnerability, it bypasses the protections set for the earlier CVE-2012-1823 vulnerability.
DEVCORE security researcher Orange Tsai explained, “In the implementation of PHP, the team overlooked the Best-Fit feature of encoding conversion in Windows. This oversight allows unauthenticated attackers to bypass the protections of CVE-2012-1823 through specific character sequences, thereby executing arbitrary code on remote PHP servers.”
On May 7, 2024, DEVCORE responsibly disclosed this vulnerability. Subsequently, PHP released patches for this vulnerability in versions 8.3.8, 8.2.20, and 8.1.29.
DEVCORE warned that all XAMPP installations on Windows configured to use Traditional Chinese, Simplified Chinese, or Japanese locales are vulnerable by default. The company advises administrators to completely abandon outdated PHP CGI in favor of more secure solutions such as Mod-PHP, FastCGI, or PHP-FPM.
“This vulnerability is very simple, but that’s what makes it interesting,” said Orange Tsai. “Who would have thought that a patch, reviewed for 12 years and considered secure, could be bypassed due to a small feature in Windows?”
The Shadowserver Foundation shared on social media platform X that within 24 hours of public disclosure, their honeypot servers detected attempts to exploit this vulnerability.
watchTowr Labs stated that they have developed an exploit for CVE-2024-4577 and achieved remote code execution. Therefore, users must apply the latest patches promptly. Security researcher Aliz Hammond emphasized, “This is a very serious vulnerability, and it’s very easy to exploit. Users with affected configurations in the impacted locales (Simplified or Traditional Chinese, or Japanese) should act quickly, as the low complexity of exploiting this vulnerability makes it highly likely to be widely abused.”