Full Report
Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation. [...]
Analysis Summary
# Vulnerability: Critical PHP RCE in CGI Mode
## CVE Details
- CVE ID: CVE-2024-4577
- CVSS Score: Information not explicitly provided, but described as **Critical** and **mass exploited**.
- CWE: Not explicitly provided, likely related to Improper Input Validation leading to Remote Code Execution.
## Affected Systems
- Products: PHP running in CGI mode (specifically on Windows, though widespread exploitation is noted).
- Versions: Technical details on vulnerable versions are not explicitly listed in this excerpt, but it applies to installations vulnerable to RCE when running PHP in CGI.
- Configurations: Affects PHP installations running in CGI mode, particularly noted in Windows environments.
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability exists in PHP when executed via CGI. The vulnerability allows remote attackers to execute arbitrary code on the underlying operating system. Adversaries have been observed leveraging this flaw for sophisticated post-exploitation activities, including establishing persistence, escalating privileges to SYSTEM level, and deploying frameworks like the "TaoWu" Cobalt Strike kit.
## Exploitation
- Status: **Mass exploited in the wild**. Exploitation was observed globally shortly after patches were released (less than 48 hours by one threat actor).
- Complexity: Implied to be **Low** given the widespread and automated scanning efforts observed by security firms.
- Attack Vector: Network (Remote execution).
## Impact
- Confidentiality: High (based on observed post-exploitation activity involving credential harvesting and framework deployment).
- Integrity: High (ability to establish persistence and deploy malware/ransomware).
- Availability: High (potential for system encryption, as seen with ransomware groups).
## Remediation
### Patches
- Patches were released in June 2024. Users must update PHP to a non-vulnerable version. (Specific fixed versions are not detailed in this summary source.)
### Workarounds
- If patching is immediately impossible, users should review configurations to ensure PHP is not running insecurely in CGI mode, especially on Windows systems.
## Detection
- Indicators of compromise include remote code execution attempts and subsequent activity such as:
- Deployment of webshells.
- Attempts to achieve SYSTEM level privileges.
- Usage of adversarial tools/frameworks like Cobalt Strike.
- Detection methods include monitoring web server logs for exploitation attempts targeting the PHP CGI handler. Security firms like GreyNoise observed significant scanning activity targeting this CVE globally.
## References
- Vendor advisories (Implicitly the PHP release notes regarding CVE-2024-4577).
- GreyNoise report on mass exploitation: hxxps://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerability-cve-2024-457
- GreyNoise observation data: hxxps://viz.greynoise.io/tags/php-cve-2024-4577-rce-attempt
- Reports of exploitation by TellYouThePass ransomware: hxxps://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/
- Report of Windows system backdooring: hxxps://www.bleepingcomputer.com/news/security/hackers-use-php-exploit-to-backdoor-windows-systems-with-new-malware/