Disclosed: June 2024
Severity: CRITICAL
CVSS v3.1 Score: 9.8/10

🧠 What Is It?

CVE-2024-4577 is a critical zero-day vulnerability impacting PHP running in CGI mode on Windows. This flaw allows attackers to inject arbitrary command-line arguments into the PHP binary—leading to unauthenticated remote code execution (RCE). Active exploitation has been observed in the wild, often delivering China Chopper-style backdoors.

⚠️ CVSS v3.1 Breakdown

• Attack Vector (AV): Network
• Attack Complexity (AC): Low
• Privileges Required (PR): None
• User Interaction (UI): None
• Scope (S): Unchanged
• Confidentiality: High
• Integrity: High
• Availability: High

📌 Why This Matters

This vulnerability highlights how legacy configurations become high-value targets. PHP-CGI may not be common in modern production, but where it’s used, this zero-day provides attackers with an easy foothold. Exploitation results in:

• Full command execution on web servers
• Untraceable persistence via web shells
• Rapid lateral movement if not detected early

🧩 MITRE ATT&CK Mapping

• Initial Access: T1190 – Exploit Public-Facing Application
• Execution: T1059.003 – Command Shell
• Persistence: T1505.003 – Server Software Component

🔎 Detection Strategies

✅ Network Detection (Zeek, Suricata, Security Onion)

• Look for suspicious HTTP POST requests to php-cgi.exe
• Detect URL-encoded payloads with %0a, &, or |
• Flag legacy user-agents such as MSIE 6.0 or default China Chopper signatures

✅ Endpoint Detection (Sysmon, Velociraptor, KAPE)

• php-cgi.exe spawning cmd.exe or powershell.exe
• Unexpected script file creation in C:\inetpub\wwwroot\
• Look for command-line logging or scheduled task creation tied to web server processes

🛠️ Tools & Techniques

Tool	Usage
Sysmon	Track abnormal parent-child process behavior
Velociraptor	Endpoint hunting for shell commands
Zeek	HTTP signature logging and anomaly detection
Sigma/YARA	Create detection rules for known web shell patterns

🧯 Mitigation & Response

• Disable PHP-CGI unless explicitly required
• Apply PHP patches issued on June 8, 2024
• Use a WAF to block suspicious characters in user input (e.g., %0a, &, |)
• Restrict file write permissions in web directories
• Monitor for lateral movement post-compromise

📚 References

• NVD – CVE-2024-4577
• Devcore Analysis & Exploit Demo
• MITRE ATT&CK Techniques

🎯 Defender’s Takeaway

This CVE is a wake-up call for defenders maintaining legacy infrastructure. Even if you’re not running PHP-CGI, the attacker mindset behind this vulnerability applies to many forgotten or outdated systems. Visibility into your web server behaviors, log anomalies, and unexpected file writes can mean the difference between detection and compromise.