{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-4577","assignerOrgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","state":"PUBLISHED","assignerShortName":"php","dateReserved":"2024-05-06T22:21:01.742Z","datePublished":"2024-06-09T19:42:36.464Z","dateUpdated":"2025-10-21T23:05:16.089Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","modules":["CGI"],"platforms":["Windows"],"product":"PHP","repo":"https://github.com/php/php-src","vendor":"PHP Group","versions":[{"lessThan":"8.1.29","status":"affected","version":"8.1.*","versionType":"semver"},{"lessThan":"8.2.20","status":"affected","version":"8.2.*","versionType":"semver"},{"lessThan":"8.3.8","status":"affected","version":"8.3.*","versionType":"semver"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled.&nbsp;<br>"}],"value":"This problem is only present in Windows versions of PHP running in CGI mode, in systems where a codepage using \"Best Fit\" strategy is enabled."}],"credits":[{"lang":"en","type":"reporter","value":"Orange Tsai, DEVCORE Research Team"}],"datePublic":"2024-06-09T19:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In PHP versions<span style=\"background-color: var(--wht);\">&nbsp;8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"<span style=\"background-color: rgb(255, 255, 255);\">Best-Fit\" behavior to replace characters in command line given to&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.&nbsp;</span></span></span><span style=\"background-color: var(--wht);\"><br></span>"}],"value":"In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use \"Best-Fit\" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"dd77f84a-d19a-4638-8c3d-a322d820ed2b","shortName":"php","dateUpdated":"2024-06-21T19:08:41.387Z"},"references":[{"url":"https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"},{"url":"https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"},{"url":"https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"},{"url":"https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"},{"url":"https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"},{"url":"https://github.com/11whoami99/CVE-2024-4577"},{"url":"https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"},{"url":"https://github.com/rapid7/metasploit-framework/pull/19247"},{"url":"https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"},{"url":"https://github.com/watchtowrlabs/CVE-2024-4577"},{"url":"https://www.php.net/ChangeLog-8.php#8.1.29"},{"url":"https://www.php.net/ChangeLog-8.php#8.2.20"},{"url":"https://www.php.net/ChangeLog-8.php#8.3.8"},{"url":"https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"},{"url":"https://isc.sans.edu/diary/30994"},{"url":"http://www.openwall.com/lists/oss-security/2024/06/07/1"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0008/"}],"source":{"advisory":"GHSA-3qgc-jrrr-25jv","discovery":"EXTERNAL"},"title":"Argument Injection in PHP-CGI","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-4577","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-06-15T03:55:28.430189Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2024-06-12","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4577"}}}],"affected":[{"cpes":["cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"],"vendor":"php_group","product":"php","versions":[{"status":"affected","version":"8.1.0","lessThan":"8.1.29","versionType":"custom"}],"defaultStatus":"affected"},{"cpes":["cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"],"vendor":"php_group","product":"php","versions":[{"status":"affected","version":"8.2.0","lessThan":"8.2.20","versionType":"custom"}],"defaultStatus":"affected"},{"cpes":["cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"],"vendor":"php_group","product":"php","versions":[{"status":"affected","version":"8.3.0","lessThan":"8.3.8","versionType":"custom"}],"defaultStatus":"affected"}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4577","tags":["government-resource"]}],"timeline":[{"time":"2024-06-12T00:00:00.000Z","lang":"en","value":"CVE-2024-4577 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T23:05:16.089Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-03-14T01:24:54.997Z"},"references":[{"url":"https://www.vicarius.io/vsociety/posts/php-cgi-os-command-injection-vulnerability-cve-2024-4577"},{"url":"https://www.vicarius.io/vsociety/posts/php-cgi-argument-injection-to-rce-cve-2024-4577"},{"url":"https://blog.talosintelligence.com/new-persistent-attacks-japan/"},{"tags":["x_transferred"],"url":"https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv"},{"tags":["x_transferred"],"url":"https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html"},{"tags":["x_transferred"],"url":"https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"},{"tags":["x_transferred"],"url":"https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/"},{"tags":["x_transferred"],"url":"https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/"},{"tags":["x_transferred"],"url":"https://github.com/11whoami99/CVE-2024-4577"},{"tags":["x_transferred"],"url":"https://github.com/xcanwin/CVE-2024-4577-PHP-RCE"},{"tags":["x_transferred"],"url":"https://github.com/rapid7/metasploit-framework/pull/19247"},{"tags":["x_transferred"],"url":"https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"},{"tags":["x_transferred"],"url":"https://github.com/watchtowrlabs/CVE-2024-4577"},{"tags":["x_transferred"],"url":"https://www.php.net/ChangeLog-8.php#8.1.29"},{"tags":["x_transferred"],"url":"https://www.php.net/ChangeLog-8.php#8.2.20"},{"tags":["x_transferred"],"url":"https://www.php.net/ChangeLog-8.php#8.3.8"},{"tags":["x_transferred"],"url":"https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately"},{"tags":["x_transferred"],"url":"https://isc.sans.edu/diary/30994"},{"tags":["x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2024/06/07/1"},{"tags":["x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"},{"tags":["x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"},{"tags":["x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20240621-0008/"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}]},"dataVersion":"5.1"}