The National Computer Emergency Response Team (NCERT) has issued an advisory regarding a critical PHP vulnerability, tracked as CVE-2024-4577, which threatens Windows-based systems running in CGI mode.
The flaw, an argument injection vulnerability, allows remote attackers to execute arbitrary code, leading to potential system compromise. Cybercriminals have been actively exploiting the vulnerability to deploy cryptocurrency miners such as XMRig and remote access trojans (RATs) like Quasar RAT.
Global cyberattacks targeting this flaw have been reported, with significant risks to organizations in Pakistan due to the widespread use of PHP-based web applications.
Attackers are leveraging the vulnerability to manipulate firewall settings, deliver malicious Windows Installer (MSI) files, and execute remote commands via cmd.exe. Additionally, the deployment of crypto-jacking malware can lead to excessive resource consumption, causing system instability and potential denial-of-service (DoS) attacks.
The vulnerability arises from improper input validation in PHP’s CGI mode on Windows servers, allowing attackers to inject malicious arguments. Cybercriminals exploit this weakness by sending crafted HTTP requests, taking advantage of PHP CGI configurations with weak security settings, and deploying malware via compromised servers. While the highest number of attacks has been observed in Taiwan, Hong Kong, Brazil, Japan, and India, Pakistani organizations are also at risk due to the prevalence of PHP-based infrastructure in web applications.
According to the advisory, NCERT has recommended several immediate mitigation measures to counter the threat. Organizations should disable PHP CGI mode if it is not required and restrict external access to PHP-based applications through firewall rules. Strengthening authentication mechanisms, such as implementing Multi-Factor Authentication (MFA), enforcing strong password policies, and limiting privileged access, can help reduce unauthorized intrusions. Additionally, continuous monitoring of system activity, including checking logs for unauthorized PHP script execution attempts and using Security Information and Event Management (SIEM) solutions, is crucial for detecting suspicious behavior.
To prevent exploitation, organizations must update PHP to the latest version and apply security patches from PHP maintainers as soon as they become available. Regular auditing of PHP configurations and disabling unnecessary features can further enhance security. Hardening security configurations, such as disabling unused services, removing default credentials, implementing network segmentation, and deploying application firewalls, is essential for mitigating risks associated with the vulnerability.
NCERT has also emphasized the need for robust incident response planning. Organizations should regularly back up critical data to secure, offsite locations and develop comprehensive incident response plans to contain and mitigate potential compromises. Periodic security assessments can help identify vulnerabilities and strengthen overall cybersecurity resilience. With active exploitation attempts being reported globally, urgent action is required to prevent severe security breaches and safeguard critical systems from cyber threats.