CVE-2024-4577
unknown
KEV
CVSS v3
β
CVSS v4 NEW
β
VIR risk
2.5
Description
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
CISA KEV
- Vendor
- PHP Group
- Product
- PHP
- Due date
- 2024-07-03
Predictions
Exploit likelihood
99%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
{Vendor advisory: cisa-kev β This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://www.php.net/ChangeLog-8.php#; https://nvd.nist.gov/vuln/detail/CVE-2024-4577}
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
PHP CGI Module 8.3.4 - Remote Code Execution (RCE)
Source code queued for fetch β refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error β view the original via the link above.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
References
- https://www.suse.com/security/cve/CVE-2024-4577.html
- https://security-tracker.debian.org/tracker/CVE-2024-4577
- This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://www.php.net/ChangeLog-8.php#; https://nvd.nist.gov/vuln/detail/CVE-2024-4577
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.