CVE-2024-4577

CVE-2024-4577 is a critical-severity vulnerability in Php with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-06-12). The underlying weakness is classified as CWE-78.

Key facts

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVE-2024-4577: PHP-CGI Argument Injection on Windows via Best-Fit Character Mapping

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-4577
Published 2024-06-09
Severity CRITICAL
CVSS v3 9.8
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78 (OS Command Injection)
EPSS 0.99987 (99.987th percentile)
KEV Yes (added 2024-06-12)
Ransomware Campaign Confirmed
Assigner [email protected]

Summary

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8, when running under Apache with PHP-CGI on Windows systems configured to use certain code pages, Windows may apply "Best-Fit" behavior to replace characters in the command line passed to Win32 API functions. The PHP CGI module can misinterpret these substituted characters as PHP options, enabling a remote unauthenticated attacker to inject arguments into the PHP binary. This can result in source code disclosure and remote code execution on the target server.

Background

PHP-CGI is a Common Gateway Interface implementation that allows web servers to execute PHP scripts. On Windows, when Apache uses PHP-CGI to handle requests, the operating system's character encoding behavior can interact unexpectedly with how PHP parses its command-line arguments. Windows' "Best-Fit" character mapping is a legacy compatibility feature designed to approximate characters that do not exist in the current code page with visually similar alternatives. While typically harmless, this behavior becomes dangerous when the substituted characters are interpreted by applications as control characters or option delimiters.

Root Cause

The vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The root cause lies in the intersection of three factors:

  1. Windows Best-Fit Character Mapping: When the system locale uses certain code pages, Windows may silently replace characters in the command-line string passed to CreateProcess or similar Win32 APIs with visually similar alternatives.
  2. PHP-CGI Argument Parsing: The PHP CGI binary interprets specific character sequences as command-line options (for example, the -s option triggers source code highlighting mode).
  3. Lack of Input Sanitization: The PHP CGI module does not adequately validate or neutralize characters that have been transformed by the Windows character mapping layer before interpreting them as option flags.

An attacker can craft a malicious HTTP request containing characters that, after Best-Fit mapping, are reinterpreted as PHP option switches. These injected options can change PHP's execution mode, expose source code, or execute arbitrary PHP code through built-in options like -d (define INI entries) or -r (run PHP code).

Impact

The CVSS v3.1 score of 9.8 (Critical) reflects the severe and wide-reaching impact of this vulnerability:

  • Attack Vector (AV:N): The vulnerability is exploitable remotely over the network.
  • Attack Complexity (AC:L): No special conditions or advanced techniques are required; exploitation is straightforward once the target configuration is identified.
  • Privileges Required (PR:N): No authentication or prior access is needed.
  • User Interaction (UI:N): The attack can be carried out without any interaction from a legitimate user.
  • Scope (S:U): The vulnerable component is the PHP-CGI process itself.
  • Confidentiality, Integrity, Availability (C:H / I:H / A:H): Successful exploitation can lead to complete compromise of the affected system—source code disclosure undermines confidentiality, arbitrary code execution enables integrity violations, and persistent access or denial of service impacts availability.

Given the EPSS score of 0.99987, active exploitation in the wild is considered highly probable. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities (KEV) catalog with a ransomware nexus, underscoring its real-world impact.

Exploitation Walkthrough

Ethics and Legal Notice: The following description is provided for defensive and educational purposes only. Attempting to exploit systems without explicit authorization is illegal and unethical. Security practitioners should use this information to improve detection, hardening, and incident response capabilities.

From a defensive standpoint, the exploitation flow follows a predictable pattern:

  1. Reconnaissance: The attacker identifies a Windows server running Apache with PHP-CGI and determines the PHP version to confirm it is unpatched.
  2. Character Mapping Abuse: The attacker crafts an HTTP request where specific characters in the URL or query string are chosen based on the target system's code page. When Windows applies Best-Fit mapping, these characters are converted into option delimiters or flags recognized by the PHP binary.
  3. Option Injection: The transformed characters reach the PHP-CGI process as command-line arguments. For example, an attacker might inject the -s option to trigger PHP's source highlighting mode, directly exposing the source code of .php files. More aggressively, options like -d can override PHP INI settings to enable dangerous functions, or -r can execute arbitrary PHP code strings.
  4. Post-Exploitation: With arbitrary PHP execution, the attacker can deploy webshells, exfiltrate data, pivot laterally within the network, or deploy ransomware payloads.

Defenders should monitor for HTTP requests containing suspicious character sequences, unexpected PHP-CGI process behavior, or sudden changes in file access patterns on Windows web servers.

Affected and Patched Versions

Affected Versions:

  • PHP 8.1.* before 8.1.29
  • PHP 8.2.* before 8.2.20
  • PHP 8.3.* before 8.3.8

Patched Versions:

  • PHP 8.1.29
  • PHP 8.2.20
  • PHP 8.3.8

Affected Configuration:

  • Windows operating systems (any version running the affected PHP builds)
  • Apache HTTP Server using PHP-CGI
  • Systems configured with code pages that trigger Best-Fit character mapping

Note: This vulnerability does not affect PHP running under mod_php, FastCGI, or PHP-FPM on Windows, nor does it affect PHP-CGI on non-Windows platforms.

Remediation

Primary Remediation:
Upgrade to the patched PHP versions immediately:

  • PHP 8.1.29 or later
  • PHP 8.2.20 or later
  • PHP 8.3.8 or later

Compensating Controls (if immediate patching is not possible):

  • Switch to PHP-FPM or mod_php: If the web application architecture permits, migrate from PHP-CGI to PHP-FPM or mod_php, which are not affected by this vulnerability.
  • Web Application Firewall (WAF): Deploy or update WAF rules to block HTTP requests containing character sequences known to trigger Best-Fit mapping abuse against PHP-CGI endpoints.
  • Restrict Access: Limit access to PHP-CGI endpoints to trusted IP ranges or VPN segments where feasible.
  • Monitor and Alert: Enable detailed logging for PHP-CGI processes and configure SIEM rules to alert on anomalous command-line arguments or unexpected PHP execution modes.
  • Disable Unnecessary Options: Where possible, restrict the PHP binary's ability to accept certain command-line options through system-level policies or wrapper scripts.

Detection

Organizations can detect potential exploitation or post-exploitation activity through the following methods:

  • HTTP Request Inspection: Monitor for requests containing non-standard or Unicode characters in the URL path or query parameters that may map to PHP option switches after Best-Fit transformation.
  • Process Monitoring: Alert when PHP-CGI processes are spawned with unexpected command-line arguments, particularly options like -s, -d, or -r.
  • File Integrity Monitoring (FIM): Detect unexpected modifications to web-accessible directories, especially the appearance of new PHP files or webshells.
  • Network Traffic Analysis: Look for anomalous outbound connections from web servers, which may indicate post-exploitation command-and-control communication or data exfiltration.
  • Endpoint Detection and Response (EDR): Correlate process execution events with parent-child relationships; PHP-CGI spawning unusual child processes (e.g., PowerShell, cmd.exe) is a high-fidelity indicator of compromise.

Assessment

CVE-2024-4577 represents a textbook example of how platform-specific behavior (Windows Best-Fit mapping) can introduce critical vulnerabilities in cross-platform software. The EPSS score of 0.99987 and CISA KEV inclusion confirm that this vulnerability is not merely theoretical—it is actively exploited in ransomware campaigns. The EU Exploitation Database also recorded this vulnerability as actively exploited starting on 2024-06-12, just days after public disclosure.

Key Lessons:

  1. Platform Assumptions Are Dangerous: Software designed to run across multiple operating systems must account for OS-specific behaviors in process creation, character encoding, and argument parsing. What is safe on Linux may be catastrophic on Windows.
  2. Visibility into Legacy Features Matters: Windows Best-Fit mapping is a decades-old compatibility mechanism that most modern administrators are unaware of. Security teams must understand the platforms they defend, including obscure or legacy behaviors that can be weaponized.

References

Frequently asked questions

What is CVE-2024-4577?
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
How severe is CVE-2024-4577?
CVE-2024-4577 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-4577 being actively exploited?
Yes. CVE-2024-4577 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-06-12, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-4577?
CVE-2024-4577 primarily affects Php. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-4577?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-4577 have an EU (EUVD) identifier?
Yes. CVE-2024-4577 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-44188. It is also flagged as exploited in the EUVD (since 2024-06-12).
When was CVE-2024-4577 published?
CVE-2024-4577 was published on 2024-06-09 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Php

All CVEs affecting Php →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: