Tag Archive for: Exploit

Joseph Lee

Escalating Attacks Targeting CVE-2024-4577 in PHP-CGI for Windows

CVE-2024-4577 (CVSS 9.8 Critical) is currently climbing the winners’ podium of the most malicious security vulnerabilities. Disclosed in early June 2024 by Devcore security researchers, weaponization began within a mere 48 hours. It is a PHP-CGI OS Command Injection vulnerability [CWE-78] impacting PHP for Windows. Attacks distributing “TellYouThePass” ransomware were immediately observed and the CVE added to CISA’s KEV list (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency). Several months later, exploitation of CVE-2024-4577 suddenly continues to escalate.

Greenbone provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was released in June 2024. This allows defenders to identify affected systems across public-facing or internal network infrastructure. Let’s look deeper into the threat of CVE-2024-4577.

Exploiting CVE-2024-4577 for RCE and Lateral Movement

Proof of concept (PoC) exploit code and a full technical breakdown has long been published by watchTowr Labs, and a Metasploit module was also released in mid-2024. National CERT advisories have recently been issued by CERT New Zealand (CERT NZ) and the Canadian Center for Cyber Security. However, the flaw had already been alerted by CERT-EU, and CERT-FR (French Government CERT) back in June 2024.

Due to CVE-2024-4577, the PHP-CGI (Common Gateway Interface) may misinterpret certain characters as PHP options, which may allow a malicious user to pass options to the php.exe binary. This trick can reveal the source code of scripts or run arbitrary PHP code on the server. CVE-2024-4577 is considered a bypass of a long-ago patched vulnerability in PHP, CVE-2012-1823.

In the case that attackers gain initial access to a victim’s network through social engineering or a different software vulnerability, CVE-2024-4577 can provide an attacker with the opportunity for lateral movement, or covert persistence, penetrating deeper into a victim’s infrastructure and increasing the blast radius of a cyber attack.

A Brief Technical Explanation of CVE-2024-4577

In a nutshell, exploitation of CVE-2024-4577 works by leveraging Unicode character conversion to inject malicious command-line arguments to the php.exe process. On a high-level, web servers behave differently when CGI mode is enabled. A webserver will normally parse HTTP requests and pass them to a PHP script for processing. However, when CGI mode is enabled, attributes are extracted from the URL and passed as arguments to the executable PHP binary (php.exe on Windows). This PHP-CGI process is known to introduce distinct security risks.

Although PHP-GCI is supposed to sanitize shell meta characters (such as hyphens, double-hyphens, ampersands, and equal signs) before being passed, this still opens a pathway to command injection if attackers can find a way to bypass the sanitization process. PHP-CGI encoding was also the target of exploiting CVE-2012-1823. Furthermore, similar character encoding battles are continuously waged resulting in new ways for attackers to execute XSS and SQL injection vulnerabilities.

In the current iteration of this attack, using a soft hyphen (0xAD) instead of a standard hyphen (0x2D), attackers can initiate PHP directives to achieve Remote Code Execution (RCE). This is because Windows uses the UCS-2 character set, converts all characters to the UCS-2 code-point value and also executes an additional “best-fit” conversion. In the case of CVE-2024-4577, it is the best-fit schema that converts soft hyphens into standard hyphens. This allows injecting php.exe with arguments to prepend and execute the HTTP request body itself by adding the command “-d allow_url_include=1 -d auto_prepend_file=php://input” using URL encoded soft hyphens to the HTTP GET string. Soft hyphens are typically invisible UTF-8 characters used to specify locations word breaks, but only when necessary to fit the text on the line. Thanks to Windows’ best-fit conversion, they are effectively converted into command line flags.

CVE-2024-4577 is Being Leveraged Globally in 2025

According to new reports released in March 2025, attacks leveraging CVE-2024-4577 are ongoing,  widespread and escalating. Cisco detected exploitation of CVE-2024-4577 in January 2025, targeting Japanese education, ecommerce and telecommunications companies. After gaining initial access via PHP, attackers installed Cobalt Strike’s ‘TaoWu’ plugins and modified Windows registry keys to establish persistent access through scheduled tasks.

Another recent report from GreyNoise reveals that mass exploitation of CVE-2024-4577 has extended to targets in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain and Malaysia. Germany and China were reportedly the primary sources of attacks, accounting for 43% globally. GreyNoise also maintains a honeynet that detected over 1,089 unique IPs attempting exploitation in January 2025 alone, and counted 79 publicly available, specialized exploit kits. The cybersecurity firm warned of growing attack volume in February 2025, driven by automated scanning and signaling a rapidly escalating cyber threat.

Mitigation for CVE-2024-4577

CVE-2024-4577 affects all PHP versions (including PHP 5 and PHP 7 which are end-of-life) before 8.1.29, 8.2.20 and 8.3.8 on Windows. The best mitigation is to upgrade to a patched version with urgency. For environments where immediate patching isn’t feasible, defenders may disable the execution of PHP-CGI mode in favor of PHP-FPM (FastCGI Process Manager) or alternatively, utilize a web-application firewall (WAF) to filter and block exploitation attempts. PHP system administrators should also note several additional security risks associated with CGI and review them for optimal security.

Greenbone has provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was first disclosed in June 2024. This early detection capability allows defenders to identify affected systems across public facing or internal network infrastructure. Greenbone’s detection tests include remote version detections [1][2], and a remote active check [3].

Summary

CVE-2024-4577 is a critical PHP-CGI vulnerability affecting PHP installations on Windows, that allows remote code execution (RCE). The flaw was weaponized within 48 hours of disclosure and used in TellYouThePass ransomware attacks. According to reports from Cisco and GreyNoise, mass exploitation of CVE-2024-4577 has been escalating globally, and multiple national CERT advisories have been issued. Defenders need to identify where affected products are operating within their infrastructure, and immediately update to a fixed version of PHP, disable PHP-CGI completely or switch to PHP-FPM (FastCGI Process Manager).

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Apache Camel Case-Sensitive Flaw May Forfeit Remote Command Execution

Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published on March 12th.

Green graphic with stylised camel in a desert landscape. To the right is a button with the inscription ‘RCE in Apache Camel’.

Although the two vulnerabilities have only been assigned moderate CVSS severity scores by CISA-ADP (CISA’s Authorized Data Publisher), they could be severe impact vulnerabilities depending on the targeted Camel instance’s configuration. Both CVEs have the same root cause: improper filtering of HTTP headers or HTTP parameters when communicating to an Apache Camel instance. As the article’s title suggests, parameters were filtered using case-sensitive methods, while the arguments themselves were being applied in a non-case-sensitive manner.

Furthermore, publicly available proof-of-concept (PoC) code and a relatively complete technical description adds to the risk. Greenbone can detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints. Let’s review the details.

What Is Apache Camel?

Apache Camel is a popular open-source Java library for integrating different components of a distributed enterprise system architecture such as APIs or microservices. In a nutshell, Camel is a versatile platform for routing and mediation based on the Enterprise Integration Patterns (EIPs) concept of enterprise system architecture design. Apache Camel is heavily based on EIPs and provides an implementation of these patterns via its domain-specific languages (DSL) that include Java, XML, Groovy, YAML and others.

As of 2021, Apache Camel held approximately 3.03% of the Enterprise Application Integration market. The software is used by over 5,600 companies, roughly half being US-based. Camel’s market share is predominantly in the Information Technology and Services industry (33%), Computer Software industry (12%) and Financial Services industry (6%).

Two New CVEs in Apache Camel May Allow RCE

When any of Camel’s HTTP-based components handle requests, a default filter is supposed to prevent exposure of sensitive data or execution of internal commands. However, due to a flawed case-sensitive filtering rule, only exactly matched headers were filtered. However, downstream in the program logic, these headers were being applied in a non-case-sensitive manner, allowing filter bypass. Changing the case of the first character of the header name, an attacker could bypass the filter to inject arbitrary headers.

The good news is that either the camel-bean or camel-exec component must be enabled in combination with an http-based component such as such as camel-http, camel-http4, camel-rest, camel-servlet or others. Also, exploitation is limited to internal methods within the scope declared in the HTTP request URI. One final saving grace is that this flaw has not been implicated as an unauthenticated vulnerability. Therefore, unless the system designers have implemented any authentication and authorization for a Camel HTTP API, it is not exploitable.

At the high-end of the risk spectrum, if the Camel Exec component is enabled and targeted, an attacker can achieve arbitrary RCE as the user controlling the Camel process. RCE is achieved by sending the CamelExecCommandExecutable header to specify an arbitrary shell command, overriding the commands configured on the back-end. If exploitable Camel HTTP APIs are Internet accessible, the risk is especially high, however, this flaw could also be used for lateral movement within a network by an insider, or by attackers who have gained initial access to an organization’s internal network.

A technical description of the exploit chain and proof-of-concept (PoC) has been provided by Akamai.

What Is the Appropriate CVSS Score?

Although CVE-2025-27636 (CVSS 5.6) and CVE-2025-29891 (CVSS 4.2) have been assigned moderate severity scores, they could have a critical impact if either the camel-bean or camel-exec components are enabled in combination with http-based components. The situation highlights some limitations of the scoring by CVSS (Common Vulnerability Scoring System).

Akamai researchers report that the flaw is trivial to exploit and have published proof-of-concept (PoC) code, increasing the risk. This implies that the CVSS Attack Complexity (AC) metric should be set to Low (L). However, CISA-ADP has assessed attack complexity as high (AC:H) given these facts. Red Hat has accounted for these factors and increased the CVSS for CVE-2025-27636 to 6.3.

Also, the CISA-ADP assessed no impact to confidentiality for CVE-2025-29891, despite the potential for arbitrary RCE. However, if an Apache Camel instance has a vulnerable configuration, a high impact assessment for Confidentiality (C), Integrity (I) and Availability (A), is justified further increasing the criticality to CVSS 9.8.

On the other hand, the CISA-ADP assigned a Privileges Required (PR) value of None (N). However, although Akamai’s PoC does not use an HTTPS connection or authentication, it would be extremely negligent to operate an unencrypted and unauthenticated API. Apache Camel supports Java Secure Socket Extension (JSSE) API for Transport Layer Security (TLS) or using a KeyCloak Single Sign-On (SSO) authorization server. Camel instances with some form of client authentication enabled would be protected against exploitation. For most cases, the PR value should be adjusted to Low (L) or High (H) resulting in a diminished CVSS of 7.3 or 8.8.

Furthermore, the CVEs were assigned a Scope value Unchanged (UC). According to the CVSS v3.1 specification: “The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.” Execution of arbitrary shell commands on the compromised system is typically assigned the value of Changed (C). If the Camel process is owned by the Linux/Unix root or a Windows administrator user, an attacker would have virtually unlimited control of a compromised system. Accounting for the variety of possible CVSS assessments, CVE-2025-27636 and CVE-2025-29891 should be considered critical severity vulnerabilities if an instance meets the configuration requirements and does not apply authentication.

Mitigating the CVEs in Apache Camel

CVE-2025-27636 and CVE-2025-29891 affect Apache Camel version 4.10 before 4.10.2, version 4.8 before 4.8.5 and version 3 before 3.22.4. Users should upgrade to 4.10.2, 4.8.5 or 3.22.4 or implement custom header filtering using removeHeader or removeHeaders in Camel routes. It should be noted that Camel versions 4.10.0, 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3 are still vulnerable although they were considered security updates that addressed the flaw.

Also, it is strongly recommended that all HTTP endpoints in a distributed architecture employ strong authentication. For Apache Camel, options include: using Java Secure Socket Extension (JSSE) API for TLS with Camel components or using a KeyCloak OAuth 2.0 SSO authorization server. For legacy systems, a minimum of HTTP Basic Authentication should be configured.

Summary

Apache Camel users should immediately upgrade to versions 4.10.2, 4.8.5 or 3.22.4 to mitigate the newly published CVEs affecting Apache Camel. Alternatively, implement custom header filtering using removeHeader or removeHeaders in Camel routes. Strong authentication on all HTTP endpoints is also highly recommended for security best-practices. Apache Camel supports the JSSE API for TLS or KeyCloak SSO solutions. Greenbone is able to detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints.

Contact Test Now Buy Here Back to Overview

/by