Alert - Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577)

Number: AL25-001
Date: March 12, 2025

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Cyber Centre is aware of reports of ongoing and increased exploitation of CVE-2024-4577 ^{Footnote 1Footnote 2Footnote 3}, a critical remote code execution (RCE) vulnerability in the PHP-CGI implementation of PHP on Windows.

Windows-based PHP installations configured to use PHP-CGI are specifically at risk as the vulnerability exploits Unicode processing in the CGI module.

Threat actors are actively using this vulnerability. The Cyber Centre is not aware of any Canadian victims from this increased activity, but systems in Canada remain vulnerable despite the exploit proof-of-concept being available since June 2024.

Suggested Actions

Organizations should determine if they are at risk by verifying whether they are running vulnerable versions of PHP installed on Windows.

Organizations are advised to update to the following versions of PHP^{Footnote 4}:

• PHP 8.3 - update to 8.3.8 or later
• PHP 8.2 - update to 8.2.20 or later
• PHP 8.1 - update to 8.1.29 or later

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security Actions ^{Footnote 5} with an emphasis on the following topics:

• Consolidating, monitoring, and defending Internet gateways.
• Patching operating systems and applications.
• Isolate web-facing applications.

Determine if associated malicious activity has occurred in potentially vulnerable systems. Should this be the case, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

• NCSC NZ – Vulnerability affecting PHP on Windows

Information provided by organizations not subject to the Official Languages Act is in the language(s) provided.