CVE-2024-4577 Detection: A New Easy-to-Exploit PHP Vulnerability Could Lead to RCE

Hot on the heels of the disclosure of CVE-2024-29849 and its PoC release, another security flaw is creating a buzz in the cyber threat landscape. Successful exploitation of CVE-2024-4577, which affects Windows-based PHP servers, could lead to RCE. The security bug is a CGI argument injection vulnerability that impacts all versions of PHP on the Windows OS and all XAMPP installations by default.

Detect CVE-2024-4577 Exploitation Attempts

With cybercrime now a major cause of business disruptions, Proactive Vulnerability Detection is more important than ever before. In the past year alone, 30,000 vulnerabilities have been weaponized for real-world attacks.

To cope with the avalanche of emerging threats, including possible exploits for the recently identified critical PHP flaw (CVE-2024-4577), security researchers require instant access to curated detection rules, hunting queries, and IOC collections bundled with actionable CTI and smart threat detection solutions. SOC Prime Platform for collective cyber defense aggregates a dedicated rule addressing CVE-2024-4577 exploitation attempts. The detection below is enriched with actionable CTI, aligned with the MITRE ATT&CK® framework, and compatible with 30+ SIEM, EDR, and Data Lake solutions. 

Possible CVE-2024-4577 (PHP Remote Code Execution) Exploitation Attempt (via webserver)

Also, click the Explore Detections button below and reach comprehensive CTI-enriched detection content to protect your organization against vulnerability exploitation, including the latest and existing threats.

Explore Detections

CVE-2024-4577 Analysis

Defenders have recently uncovered a novel PHP vulnerability tracked as CVE-2024-4577. Successful exploitation of the identified flaw exposes all Windows servers to potential RCE attacks. However, according to the watchTowr Labs research, the bug has only been exploited on Windows-based PHP installations, specifically when PHP is used in CGI mode under certain specific locales, including Chinese and Japanese.

DEVCORE cybersecurity researchers report that CVE-2024-4577 allows bypassing security protection established for another security flaw, CVE-2012-1823. As a result, unauthenticated attackers are capable of bypassing the protections of CVE-2012-1823 using specific character sequences, allowing arbitrary code execution on remote PHP servers via argument injection. DEVCORE has also cautioned that all XAMPP installations on Windows are inherently vulnerable if configured to use the above-mentioned locales.

Following the disclosure of CVE-2024-4577, PHP versions 8.3.8, 8.2.20, and 8.1.29 have been instantly patched to address the easy-to-exploit vulnerability. As potential CVE-2024-4577 mitigation measures, defenders strongly recommend quickly updating to the fixed versions. In addition, it is highly recommended that admins switch from the outdated PHP CGI to a more secure solution like Mod-PHP, FastCGI, or PHP-FPM to minimize the risks of vulnerability exploitation. For users leveraging XAMPP for Windows or those unable to upgrade PHP, the corresponding security advisory provides additional CVE-2024-4577 mitigation guidelines.

Due to the low exploit complexity and the PoC exploit code for CVE-2024-4577 publicly available on GitHub, CVE-2024-4577 poses severe risks of being actively leveraged in in-the-wild attacks, which requires ultra-responsiveness from defenders and increased cybersecurity awareness. Rely on SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation to timely identify and address cyber defense blind spots, proactively hunt for emerging threats, and prioritize detection efforts, ensuring you stay one step ahead of attackers.