Skip to main content

Critical Vulnerability in PHP

New versions of PHP address a critical vulnerability that could lead to arbitrary PHP code execution

Threat ID:
CC-4508
Threat Severity:
Medium
Published:
11 June 2024 12:48 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

New versions of PHP address a critical vulnerability that could lead to arbitrary PHP code execution

Affected platforms

The following platforms are known to be affected:

Versions: Windows OS Versions 8.1 to 8.1.29 | 8.2 to 8.2.20 | 8.3 to 8.3.8

PHP

Threat details

End-of-life versions also affected

Following the release of PHP 8.0, PHP 7 and PHP 5 are end-of-life (EOL) and are no longer maintained. Refer to the "Am I Vulnerable?" section of the DEVCORE security alert to review possible mitigation. 

Introduction

DEVCORE has discovered a critical security vulnerability in PHP versions installed on Microsoft Windows operating system (OS).  PHP is a widely used open-source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

The CGI argument injection vulnerability is known as CVE-2024-4577 and has a CVSSv3.1 score of 9.8. An attacker could exploit this vulnerability to execute arbitrary PHP code on vulnerable instances.

Active Exploitation of CVE-2024-4577

A public proof-of-concept is available for this vulnerability and security researchers have observed exploitation attempts in the wild. 

Remediation advice

Affected organisations are encouraged to review the DEVCORE security alert and follow the remediation guidance as soon as possible.

Last edited: 11 June 2024 12:48 pm