CISA warns: Critical PHP bug is being exploited by ransomware

The recently published and fixed critical PHP bug with the CVE identifier CVE-2024-4577 is being actively exploited. CISA warns of this by including it in its database of "known exploited vulnerabilities" (KEV). Admins of Windows servers with PHP should patch as soon as possible.

As usual, the note on the overview page of the KEV database is not very detailed, but confirms the exploitation in ransomware campaigns. A warning from the security company Imperva provides some details: For example, the Windows ransomware is apparently called "TellYouThePass" and is executed using the PHP exploit and an HTA file. The attackers use the PHP function "system()" with the Windows tool "mshta". Once the ransomware has successfully infiltrated, it encrypts files and stores contact information in a readme file.

Code page trickery leads to code execution

The vulnerability in PHP is not new, but merely a variation of a twelve-year-old programming error that was listed as CVE-2012-1823 at the time and could not be fully repaired by the developers of the scripting language. Attackers can use clever coding tricks to execute their own code on vulnerable systems.

In the meantime, sample exploits and attack automation for the current vulnerability are also circulating on the Internet. Admins should therefore patch as quickly as possible – PHP versions 8.1.29, 8.2.20 or 8.3.8 are considered repaired. The security researchers at Devcore also provide tips on risk assessment and temporary protection.

(cku)