CrowdSec
6/10CrowdSec Score

PHP/XAMPP - RCE (CVE-2024-4577)

Published on09-06-2024
First seen on10-06-2024
CVSS 9.8/10PHP - PHP

2422Exploiting IPs reported

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CrowdSec analysis

CVE-2024-4577 is a critical vulnerability affecting PHP installations using Apache with PHP-CGI on Windows. It arises from improper handling of command-line arguments when certain system code pages are in use, allowing attackers to manipulate input and potentially force the execution of arbitrary PHP code or leak sensitive script source code.

CrowdSec has been tracking this vulnerability and its exploits since 10th of June 2024.

CrowdSec network data shows that most actors exploiting CVE-2024-4577 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-4577 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-4577 is currently experiencing high visibility and active exploitation across the internet.

Detection patterns commonly involve crafted requests aiming to exploit PHP-CGI processing quirks on affected systems.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References