Details have emerged about a major new security vulnerability in PHP that could be exploited to achieve remote code execution under certain conditions.

The vulnerability, identified as CVE-2024-4577, is described as a CGI argument injection flaw affecting all PHP versions installed on the Windows operating system.

You might be interested in: Check Point Alerts on VPN Zero-Day Attacks

According to a DEVCORE security researcher, the issue allows users to bypass protections for another security flaw, CVE-2012-1823.

“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” said security researcher Orange Tsai. “This oversight allows unauthenticated attackers to bypass CVE-2012-1823’s previous protection using specific character sequences. Argument injection attacks enable arbitrary code execution on remote PHP servers.”

Following responsible disclosure on May 7, 2024, a fix for the vulnerability is now available in PHP versions 8.3.8, 8.2.20, and 8.1.29.

DEVCORE has advised that all XAMPP installations on Windows are vulnerable by default when using the Traditional Chinese, Simplified Chinese, or Japanese locales.

The Taiwanese company also recommends that administrators abandon the obsolete PHP CGI in favor of more secure options like Mod-PHP, FastCGI, or PHP-FPM.

“This vulnerability is incredibly simple, but that’s also what makes it interesting,” Tsai stated. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?”

In a post on X, the Shadowserver Foundation stated that within 24 hours of the flaw’s public disclosure, it had identified exploitation attempts against its honeypot servers.

WatchTowr Labs reported that it was able to create an attack for CVE-2024-4577 and achieve remote code execution, highlighting the importance of users applying the most recent updates as soon as possible.

“A nasty bug with a very simple exploit,” security researcher Aliz Hammond explained.

“Those running in an affected configuration under one of the affected locales—Chinese (Simplified or Traditional) or Japanese—are urged to do this as quickly as possible, as the bug has a high chance of being exploited en masse due to the low exploit complexity.”