Security News > 2024 > June > PHP command injection flaw exploited to deliver ransomware (CVE-2024-4577)

An OS command injection vulnerability in Windows-based PHP in CGI mode is being exploited by the TellYouThePass ransomware gang.

Imperva says the attacks started on June 8, two days after the PHP development team pushed out fixes, and one day after Watchtowr researchers published a technical analysis of the flaw and proof-of-concept exploit code.

The vulnerability affects all versions of PHP installed on the Windows operating system when running in CGI mode, which is a common enough scenario.

"Even if PHP is not configured under the CGI mode, merely exposing the PHP executable binary in the CGI directory is affected by this vulnerability, too," the Devcore team noted.

On Monday, Censys said there are about 458,800 exposed PHP instances that are potentially vulnerable, though they noted that the number of actually vulnerable ones is likely smaller.

"The attackers used the known exploit for CVE-2024-3577 to execute arbitrary PHP code on the target system, leveraging the code to use the 'system' function to run an HTML application file hosted on an attacker-controlled web server via the mshta.exe binary. mshta.exe is a native Windows binary that can execute remote payloads, pointing to the attackers operating in a 'living off the land' style," they explained.

News URL

https://www.helpnetsecurity.com/2024/06/13/cve-2024-4577-exploited/