A critical vulnerability in PHP for Windows versions 5.x and earlier, identified as CVE-2024-4577, has been uncovered by researchers at cybersecurity firm DEVCORE. This flaw allows unauthenticated attackers to execute arbitrary code on affected servers by exploiting a weakness in the Best-Fit feature of encoding conversion. The vulnerability was reported to the PHP development team by Devcore researcher Orange Tsai and subsequently addressed in the latest PHP versions released on June 6, 2024.
Since the disclosure of CVE-2024-4577 and the availability of a proof-of-concept exploit, there has been a surge in attempts to exploit the vulnerability by various threat actors. Shadowserver and GreyNoise researchers have reported multiple malicious attempts to exploit this vulnerability, particularly targeting PHP/PHP-CGI systems. The vulnerability is particularly impactful for systems running Windows in specific locales, including Traditional Chinese, Simplified Chinese, and Japanese, where unauthorized attackers can directly execute arbitrary code.
XAMPP users are especially vulnerable due to a default configuration that exposes the PHP binary. While XAMPP has yet to release an update addressing this vulnerability, DEVCORE has provided mitigation instructions to reduce the risk of attacks for XAMPP users. Additionally, administrators of systems that cannot be immediately upgraded are advised to apply mod_rewrite rules to block exploitation attempts.
To mitigate the risk posed by CVE-2024-4577, users are strongly advised to update to the latest PHP versions (8.3.8, 8.2.20, and 8.1.29). However, given the problematic nature of PHP CGI architecture, it is recommended to evaluate migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM. This underscores the importance of maintaining up-to-date software and adopting secure architectures to mitigate the risk of such vulnerabilities in the future.
Reference:
