⚠️ CISA Known Exploited Vulnerability

Active Threat

This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed in the wild. This poses significant risk to federal enterprises and should be prioritized for immediate patching.

View CISA KEV Catalog

CVE-2024-4577

Critical CISA KEV

Low Medium High Critical

9.8

CVSS Score

Published: Jun 09, 2024

Last Modified: Nov 03, 2025

CWE: CWE-78

Vulnerability Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

58 configuration(s) from 2 vendor(s)

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

php

Version:

8.3.5

CPE:

cpe:2.3:a:php:php:8.3.5:-:*:*:*:*:*:*

php

Version:

8.1.25

CPE:

cpe:2.3:a:php:php:8.1.25:-:*:*:*:*:*:*

php

Version:

8.2.0

CPE:

cpe:2.3:a:php:php:8.2.0:-:*:*:*:*:*:*

php

Version:

8.1.12

CPE:

cpe:2.3:a:php:php:8.1.12:*:*:*:*:*:*:*

php

Version:

8.1.27

CPE:

cpe:2.3:a:php:php:8.1.27:-:*:*:*:*:*:*

php

Version:

8.2.5

CPE:

cpe:2.3:a:php:php:8.2.5:-:*:*:*:*:*:*

php

Version:

8.1.5

CPE:

cpe:2.3:a:php:php:8.1.5:rc1:*:*:*:*:*:*

php

Version:

8.2.14

CPE:

cpe:2.3:a:php:php:8.2.14:-:*:*:*:*:*:*

php

Version:

8.2.13

CPE:

cpe:2.3:a:php:php:8.2.13:-:*:*:*:*:*:*

php

Version:

8.1.21

CPE:

cpe:2.3:a:php:php:8.1.21:-:*:*:*:*:*:*

php

Version:

8.2.9

CPE:

cpe:2.3:a:php:php:8.2.9:-:*:*:*:*:*:*

php

Version:

8.1.23

CPE:

cpe:2.3:a:php:php:8.1.23:-:*:*:*:*:*:*

php

Version:

8.2.19

CPE:

cpe:2.3:a:php:php:8.2.19:-:*:*:*:*:*:*

php

Version:

8.3.0

CPE:

cpe:2.3:a:php:php:8.3.0:-:*:*:*:*:*:*

php

Version:

8.3.6

CPE:

cpe:2.3:a:php:php:8.3.6:-:*:*:*:*:*:*

php

Version:

8.3.1

CPE:

cpe:2.3:a:php:php:8.3.1:-:*:*:*:*:*:*

php

Version:

8.2.1

CPE:

cpe:2.3:a:php:php:8.2.1:-:*:*:*:*:*:*

php

Version:

8.1.7

CPE:

cpe:2.3:a:php:php:8.1.7:rc1:*:*:*:*:*:*

php

Version:

8.3.7

CPE:

cpe:2.3:a:php:php:8.3.7:-:*:*:*:*:*:*

php

Version:

8.1.1

CPE:

cpe:2.3:a:php:php:8.1.1:rc1:*:*:*:*:*:*

php

Version:

8.1.28

CPE:

cpe:2.3:a:php:php:8.1.28:-:*:*:*:*:*:*

php

Version:

8.1.15

CPE:

cpe:2.3:a:php:php:8.1.15:*:*:*:*:*:*:*

php

Version:

8.2.16

CPE:

cpe:2.3:a:php:php:8.2.16:-:*:*:*:*:*:*

php

Version:

8.1.4

CPE:

cpe:2.3:a:php:php:8.1.4:rc1:*:*:*:*:*:*

php

Version:

8.2.18

CPE:

cpe:2.3:a:php:php:8.2.18:-:*:*:*:*:*:*

php

Version:

8.2.10

CPE:

cpe:2.3:a:php:php:8.2.10:-:*:*:*:*:*:*

php

Version:

8.1.14

CPE:

cpe:2.3:a:php:php:8.1.14:*:*:*:*:*:*:*

php

Version:

8.2.11

CPE:

cpe:2.3:a:php:php:8.2.11:-:*:*:*:*:*:*

php

Version:

8.1.22

CPE:

cpe:2.3:a:php:php:8.1.22:rc1:*:*:*:*:*:*

php

Version:

8.1.17

CPE:

cpe:2.3:a:php:php:8.1.17:-:*:*:*:*:*:*

php

Version:

8.1.10

CPE:

cpe:2.3:a:php:php:8.1.10:*:*:*:*:*:*:*

php

Version:

8.2.2

CPE:

cpe:2.3:a:php:php:8.2.2:-:*:*:*:*:*:*

php

Version:

8.1.8

CPE:

cpe:2.3:a:php:php:8.1.8:*:*:*:*:*:*:*

php

Version:

8.2.17

CPE:

cpe:2.3:a:php:php:8.2.17:-:*:*:*:*:*:*

php

Version:

8.1.3

CPE:

cpe:2.3:a:php:php:8.1.3:rc1:*:*:*:*:*:*

php

Version:

8.1.13

CPE:

cpe:2.3:a:php:php:8.1.13:*:*:*:*:*:*:*

php

Version:

8.1.9

CPE:

cpe:2.3:a:php:php:8.1.9:*:*:*:*:*:*:*

php

Version:

8.1.0

CPE:

cpe:2.3:a:php:php:8.1.0:rc4:*:*:*:*:*:*

php

Version:

8.2.12

CPE:

cpe:2.3:a:php:php:8.2.12:-:*:*:*:*:*:*

php

Version:

8.2.7

CPE:

cpe:2.3:a:php:php:8.2.7:-:*:*:*:*:*:*

php

Version:

8.1.6

CPE:

cpe:2.3:a:php:php:8.1.6:rc1:*:*:*:*:*:*

php

Version:

8.2.3

CPE:

cpe:2.3:a:php:php:8.2.3:*:*:*:*:*:*:*

php

Version:

8.1.18

CPE:

cpe:2.3:a:php:php:8.1.18:-:*:*:*:*:*:*

php

Version:

8.2.4

CPE:

cpe:2.3:a:php:php:8.2.4:-:*:*:*:*:*:*

php

Version:

8.1.16

CPE:

cpe:2.3:a:php:php:8.1.16:*:*:*:*:*:*:*

php

Version:

8.3.2

CPE:

cpe:2.3:a:php:php:8.3.2:-:*:*:*:*:*:*

php

Version:

8.3.3

CPE:

cpe:2.3:a:php:php:8.3.3:-:*:*:*:*:*:*

php

Version:

8.1.2

CPE:

cpe:2.3:a:php:php:8.1.2:rc1:*:*:*:*:*:*

php

Version:

8.3.4

CPE:

cpe:2.3:a:php:php:8.3.4:-:*:*:*:*:*:*

php

Version:

8.1.24

CPE:

cpe:2.3:a:php:php:8.1.24:-:*:*:*:*:*:*

php

Version:

8.1.20

CPE:

cpe:2.3:a:php:php:8.1.20:-:*:*:*:*:*:*

php

Version:

8.2.6

CPE:

cpe:2.3:a:php:php:8.2.6:-:*:*:*:*:*:*

php

Version:

8.1.26

CPE:

cpe:2.3:a:php:php:8.1.26:-:*:*:*:*:*:*

php

Version:

8.2.8

CPE:

cpe:2.3:a:php:php:8.2.8:-:*:*:*:*:*:*

php

Version:

8.1.19

CPE:

cpe:2.3:a:php:php:8.1.19:-:*:*:*:*:*:*

php

Version:

8.2.15

CPE:

cpe:2.3:a:php:php:8.2.15:-:*:*:*:*:*:*

This vulnerability affects 58 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

2 patches available from vendors

View All Patches

Microsoft

2024-Jun-CVE-2024-4577

CVE-2024-4577: Argument Injection in PHP-CGI

Severity

Unknown

Released

Oct 22, 2025

Security Update

View Details Vendor Page

Microsoft

2024-Oct-CVE-2024-8926

CVE-2024-8926: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

Severity

Unknown

Released

Oct 01, 2025

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

9.8

out of 10.0

Critical

CISA KEV Status

Active Exploitation

Listed in CISA's Known Exploited Vulnerabilities catalog

View on CISA KEV

Weakness Type (CWE)

CWE-78 Top 25 #13

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description: The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a…
Exploit Likelihood: High
Typical Severity: High
OWASP Top 10: A03:2021-Injection
Abstraction Level: Base