Alert - Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)

Number: AL25-001
Date: March 12, 2025

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Cyber Centre is aware of reports of ongoing and increased exploitation of CVE-2024-4577 ^{Footnote 1Footnote 2Footnote 3}, a critical remote code execution (RCE) vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in the PHP-CGI implementation of PHP on Windows.

Windows-based PHP installations configured to use PHP-CGI are specifically at risk as the vulnerability exploits Unicode processing in the CGI module.

Threat actors are actively using this vulnerability. The Cyber Centre is not aware of any Canadian victims from this increased activity, but systems in Canada remain vulnerable despite the exploit proof-of-concept being available since June 2024.

Suggested Actions

Organizations should determine if they are at risk by verifying whether they are running vulnerable versions of PHP installed on Windows.

Organizations are advised to update to the following versions of PHP^{Footnote 4}:

• PHP 8.3 - update to 8.3.8 or later
• PHP 8.2 - update to 8.2.20 or later
• PHP 8.1 - update to 8.1.29 or later

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security Actions ^{Footnote 5} with an emphasis on the following topics:

• Consolidating, monitoring, and defending Internet gateways.
• Patching operating systems and applications.
• Isolate web-facing applications.

Determine if associated malicious activity has occurred in potentially vulnerable systems. Should this be the case, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

• NCSC NZ – Vulnerability affecting PHP on Windows

Information provided by organizations not subject to the Official Languages Act is in the language(s) provided.