Mass Exploitation of Critical PHP Vulnerability Begins

GreyNoise warns of mass exploitation of a critical vulnerability in PHP leading to remote code execution on vulnerable servers.

Threat actors have started exploiting en masse a critical vulnerability in PHP that could allow remote code execution on vulnerable servers, threat intelligence firm GreyNoise warns.

The flaw, tracked as CVE-2024-4577 (CVSS score of 9.8), can be exploited on Windows servers that are using Apache and PHP-CGI, if they are set to use certain code pages, to inject arguments remotely and execute arbitrary code.

Because PHP’s implementation in Windows did not consider the ‘Best-Fit’ behavior that controls the conversion of Unicode characters to the closest matching ANSI characters, attackers could supply specific character sequences that, when converted, would be misinterpreted as PHP options by the php-cgi module.

CVE-2024-4577 was publicly disclosed in June 2024, and the first exploitation attempts, attributed to a ransomware gang, were observed only two days ...