This vulnerability, known

[badsha0018]

CERT-Yoroi reports that a critical vulnerability has been disclosed in the PHP programming language that allows remote attackers to execute arbitrary code on target systems.

CVE-2024-4577, is caused by a flaw in the “Best-Fit” feature, which is used for character encoding conversion in the Windows operating system when implementing PHP. This bug allows a potential unauthenticated attacker to bypass protections implemented for a previous vulnerability known as CVE-2012-1823 (related to the PHP CGI module) for

remotely execute arbitrary code on the PHP server via argument injection exploits and gain unauthorized access and control over the targeted system.

The vulnerability was exploited in the wild in a malicious campaign that led chinese overseas canada database to the deployment of the “TellYouThePass” ransomware . Furthermore, the POC of the flaw was also disclosed , where it is possible to reconstruct the attack codes for its exploitation.

This vulnerability affects all versions of PHP installed on the Windows operating system , the affected versions of which are:

Since PHP 8.0, PHP 7, and PHP 5 branches are End-of-Life and no longer maintained, server administrators can refer to the Am I Vulnerable section to find temporary patch recommendations in the Mitigation Measure section .

It is strongly recommended that all users upgrade to the latest PHP versions 8.3.8 , 8.2.20 , and 8.1.29 . For systems that cannot be upgraded, the following instructions can be used to temporarily mitigate the vulnerability.