Critical Vulnerability in Hypertext Preprocessor (PHP) Software

Published on 08 Jun 2024

PHP has released security updates addressing a critical vulnerability (CVE-2024-4577) affecting installations where PHP is used in CGI mode. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10. The proof-of-concept exploit code that targets this vulnerability is reportedly publicly available.

Successful exploitation of the CGI argument injection vulnerability could allow an unauthenticated attacker to perform arbitrary remote code execution on the PHP servers.

The vulnerability affects all PHP versions running on Windows OS.

Users and administrators of affected PHP versions are advised to update to the latest versions immediately.

More information is available here: