CVE-2024-4577

Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 09 Jun 2024, 19:42
Last modified:21 Oct 2025, 23:05

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
94.39% CRITICAL
94% probability +0.02%
KEV
Listed
CISA
1 listing
Ransomware
Known Use
Public exploits
14 found
Dark Web
Not detected

Timeline

09 Jun 2024, 19:42
Published
Vulnerability first disclosed
12 Jun 2024, 00:00
Added to CISA KEV
PHP-CGI OS Command Injection Vulnerability
03 Jul 2024, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
21 Oct 2025, 23:05
Last Modified
Vulnerability information updated

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 94.39% Percentile: 100%

Techniques & Countermeasures

  • CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

  • fedoraprojectfedora

    39 | 40

  • UnknownPHP

    ≥ 8.1.*, < 8.1.29 | ≥ 8.2.*, < 8.2.20 | ≥ 8.3.*, < 8.3.8

  • UnknownPHP

    ≥ 8.1.0, < 8.1.29 | ≥ 8.2.0, < 8.2.20 | ≥ 8.3.0, < 8.3.8

References (23)