Tag Archive for: RCE

Joseph Lee

Escalating Attacks Targeting CVE-2024-4577 in PHP-CGI for Windows

CVE-2024-4577 (CVSS 9.8 Critical) is currently climbing the winners’ podium of the most malicious security vulnerabilities. Disclosed in early June 2024 by Devcore security researchers, weaponization began within a mere 48 hours. It is a PHP-CGI OS Command Injection vulnerability [CWE-78] impacting PHP for Windows. Attacks distributing “TellYouThePass” ransomware were immediately observed and the CVE added to CISA’s KEV list (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency). Several months later, exploitation of CVE-2024-4577 suddenly continues to escalate.

Greenbone provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was released in June 2024. This allows defenders to identify affected systems across public-facing or internal network infrastructure. Let’s look deeper into the threat of CVE-2024-4577.

Exploiting CVE-2024-4577 for RCE and Lateral Movement

Proof of concept (PoC) exploit code and a full technical breakdown has long been published by watchTowr Labs, and a Metasploit module was also released in mid-2024. National CERT advisories have recently been issued by CERT New Zealand (CERT NZ) and the Canadian Center for Cyber Security. However, the flaw had already been alerted by CERT-EU, and CERT-FR (French Government CERT) back in June 2024.

Due to CVE-2024-4577, the PHP-CGI (Common Gateway Interface) may misinterpret certain characters as PHP options, which may allow a malicious user to pass options to the php.exe binary. This trick can reveal the source code of scripts or run arbitrary PHP code on the server. CVE-2024-4577 is considered a bypass of a long-ago patched vulnerability in PHP, CVE-2012-1823.

In the case that attackers gain initial access to a victim’s network through social engineering or a different software vulnerability, CVE-2024-4577 can provide an attacker with the opportunity for lateral movement, or covert persistence, penetrating deeper into a victim’s infrastructure and increasing the blast radius of a cyber attack.

A Brief Technical Explanation of CVE-2024-4577

In a nutshell, exploitation of CVE-2024-4577 works by leveraging Unicode character conversion to inject malicious command-line arguments to the php.exe process. On a high-level, web servers behave differently when CGI mode is enabled. A webserver will normally parse HTTP requests and pass them to a PHP script for processing. However, when CGI mode is enabled, attributes are extracted from the URL and passed as arguments to the executable PHP binary (php.exe on Windows). This PHP-CGI process is known to introduce distinct security risks.

Although PHP-GCI is supposed to sanitize shell meta characters (such as hyphens, double-hyphens, ampersands, and equal signs) before being passed, this still opens a pathway to command injection if attackers can find a way to bypass the sanitization process. PHP-CGI encoding was also the target of exploiting CVE-2012-1823. Furthermore, similar character encoding battles are continuously waged resulting in new ways for attackers to execute XSS and SQL injection vulnerabilities.

In the current iteration of this attack, using a soft hyphen (0xAD) instead of a standard hyphen (0x2D), attackers can initiate PHP directives to achieve Remote Code Execution (RCE). This is because Windows uses the UCS-2 character set, converts all characters to the UCS-2 code-point value and also executes an additional “best-fit” conversion. In the case of CVE-2024-4577, it is the best-fit schema that converts soft hyphens into standard hyphens. This allows injecting php.exe with arguments to prepend and execute the HTTP request body itself by adding the command “-d allow_url_include=1 -d auto_prepend_file=php://input” using URL encoded soft hyphens to the HTTP GET string. Soft hyphens are typically invisible UTF-8 characters used to specify locations word breaks, but only when necessary to fit the text on the line. Thanks to Windows’ best-fit conversion, they are effectively converted into command line flags.

CVE-2024-4577 is Being Leveraged Globally in 2025

According to new reports released in March 2025, attacks leveraging CVE-2024-4577 are ongoing,  widespread and escalating. Cisco detected exploitation of CVE-2024-4577 in January 2025, targeting Japanese education, ecommerce and telecommunications companies. After gaining initial access via PHP, attackers installed Cobalt Strike’s ‘TaoWu’ plugins and modified Windows registry keys to establish persistent access through scheduled tasks.

Another recent report from GreyNoise reveals that mass exploitation of CVE-2024-4577 has extended to targets in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain and Malaysia. Germany and China were reportedly the primary sources of attacks, accounting for 43% globally. GreyNoise also maintains a honeynet that detected over 1,089 unique IPs attempting exploitation in January 2025 alone, and counted 79 publicly available, specialized exploit kits. The cybersecurity firm warned of growing attack volume in February 2025, driven by automated scanning and signaling a rapidly escalating cyber threat.

Mitigation for CVE-2024-4577

CVE-2024-4577 affects all PHP versions (including PHP 5 and PHP 7 which are end-of-life) before 8.1.29, 8.2.20 and 8.3.8 on Windows. The best mitigation is to upgrade to a patched version with urgency. For environments where immediate patching isn’t feasible, defenders may disable the execution of PHP-CGI mode in favor of PHP-FPM (FastCGI Process Manager) or alternatively, utilize a web-application firewall (WAF) to filter and block exploitation attempts. PHP system administrators should also note several additional security risks associated with CGI and review them for optimal security.

Greenbone has provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was first disclosed in June 2024. This early detection capability allows defenders to identify affected systems across public facing or internal network infrastructure. Greenbone’s detection tests include remote version detections [1][2], and a remote active check [3].

Summary

CVE-2024-4577 is a critical PHP-CGI vulnerability affecting PHP installations on Windows, that allows remote code execution (RCE). The flaw was weaponized within 48 hours of disclosure and used in TellYouThePass ransomware attacks. According to reports from Cisco and GreyNoise, mass exploitation of CVE-2024-4577 has been escalating globally, and multiple national CERT advisories have been issued. Defenders need to identify where affected products are operating within their infrastructure, and immediately update to a fixed version of PHP, disable PHP-CGI completely or switch to PHP-FPM (FastCGI Process Manager).

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Apache Camel Case-Sensitive Flaw May Forfeit Remote Command Execution

Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published on March 12th.

Green graphic with stylised camel in a desert landscape. To the right is a button with the inscription ‘RCE in Apache Camel’.

Although the two vulnerabilities have only been assigned moderate CVSS severity scores by CISA-ADP (CISA’s Authorized Data Publisher), they could be severe impact vulnerabilities depending on the targeted Camel instance’s configuration. Both CVEs have the same root cause: improper filtering of HTTP headers or HTTP parameters when communicating to an Apache Camel instance. As the article’s title suggests, parameters were filtered using case-sensitive methods, while the arguments themselves were being applied in a non-case-sensitive manner.

Furthermore, publicly available proof-of-concept (PoC) code and a relatively complete technical description adds to the risk. Greenbone can detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints. Let’s review the details.

What Is Apache Camel?

Apache Camel is a popular open-source Java library for integrating different components of a distributed enterprise system architecture such as APIs or microservices. In a nutshell, Camel is a versatile platform for routing and mediation based on the Enterprise Integration Patterns (EIPs) concept of enterprise system architecture design. Apache Camel is heavily based on EIPs and provides an implementation of these patterns via its domain-specific languages (DSL) that include Java, XML, Groovy, YAML and others.

As of 2021, Apache Camel held approximately 3.03% of the Enterprise Application Integration market. The software is used by over 5,600 companies, roughly half being US-based. Camel’s market share is predominantly in the Information Technology and Services industry (33%), Computer Software industry (12%) and Financial Services industry (6%).

Two New CVEs in Apache Camel May Allow RCE

When any of Camel’s HTTP-based components handle requests, a default filter is supposed to prevent exposure of sensitive data or execution of internal commands. However, due to a flawed case-sensitive filtering rule, only exactly matched headers were filtered. However, downstream in the program logic, these headers were being applied in a non-case-sensitive manner, allowing filter bypass. Changing the case of the first character of the header name, an attacker could bypass the filter to inject arbitrary headers.

The good news is that either the camel-bean or camel-exec component must be enabled in combination with an http-based component such as such as camel-http, camel-http4, camel-rest, camel-servlet or others. Also, exploitation is limited to internal methods within the scope declared in the HTTP request URI. One final saving grace is that this flaw has not been implicated as an unauthenticated vulnerability. Therefore, unless the system designers have implemented any authentication and authorization for a Camel HTTP API, it is not exploitable.

At the high-end of the risk spectrum, if the Camel Exec component is enabled and targeted, an attacker can achieve arbitrary RCE as the user controlling the Camel process. RCE is achieved by sending the CamelExecCommandExecutable header to specify an arbitrary shell command, overriding the commands configured on the back-end. If exploitable Camel HTTP APIs are Internet accessible, the risk is especially high, however, this flaw could also be used for lateral movement within a network by an insider, or by attackers who have gained initial access to an organization’s internal network.

A technical description of the exploit chain and proof-of-concept (PoC) has been provided by Akamai.

What Is the Appropriate CVSS Score?

Although CVE-2025-27636 (CVSS 5.6) and CVE-2025-29891 (CVSS 4.2) have been assigned moderate severity scores, they could have a critical impact if either the camel-bean or camel-exec components are enabled in combination with http-based components. The situation highlights some limitations of the scoring by CVSS (Common Vulnerability Scoring System).

Akamai researchers report that the flaw is trivial to exploit and have published proof-of-concept (PoC) code, increasing the risk. This implies that the CVSS Attack Complexity (AC) metric should be set to Low (L). However, CISA-ADP has assessed attack complexity as high (AC:H) given these facts. Red Hat has accounted for these factors and increased the CVSS for CVE-2025-27636 to 6.3.

Also, the CISA-ADP assessed no impact to confidentiality for CVE-2025-29891, despite the potential for arbitrary RCE. However, if an Apache Camel instance has a vulnerable configuration, a high impact assessment for Confidentiality (C), Integrity (I) and Availability (A), is justified further increasing the criticality to CVSS 9.8.

On the other hand, the CISA-ADP assigned a Privileges Required (PR) value of None (N). However, although Akamai’s PoC does not use an HTTPS connection or authentication, it would be extremely negligent to operate an unencrypted and unauthenticated API. Apache Camel supports Java Secure Socket Extension (JSSE) API for Transport Layer Security (TLS) or using a KeyCloak Single Sign-On (SSO) authorization server. Camel instances with some form of client authentication enabled would be protected against exploitation. For most cases, the PR value should be adjusted to Low (L) or High (H) resulting in a diminished CVSS of 7.3 or 8.8.

Furthermore, the CVEs were assigned a Scope value Unchanged (UC). According to the CVSS v3.1 specification: “The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.” Execution of arbitrary shell commands on the compromised system is typically assigned the value of Changed (C). If the Camel process is owned by the Linux/Unix root or a Windows administrator user, an attacker would have virtually unlimited control of a compromised system. Accounting for the variety of possible CVSS assessments, CVE-2025-27636 and CVE-2025-29891 should be considered critical severity vulnerabilities if an instance meets the configuration requirements and does not apply authentication.

Mitigating the CVEs in Apache Camel

CVE-2025-27636 and CVE-2025-29891 affect Apache Camel version 4.10 before 4.10.2, version 4.8 before 4.8.5 and version 3 before 3.22.4. Users should upgrade to 4.10.2, 4.8.5 or 3.22.4 or implement custom header filtering using removeHeader or removeHeaders in Camel routes. It should be noted that Camel versions 4.10.0, 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3 are still vulnerable although they were considered security updates that addressed the flaw.

Also, it is strongly recommended that all HTTP endpoints in a distributed architecture employ strong authentication. For Apache Camel, options include: using Java Secure Socket Extension (JSSE) API for TLS with Camel components or using a KeyCloak OAuth 2.0 SSO authorization server. For legacy systems, a minimum of HTTP Basic Authentication should be configured.

Summary

Apache Camel users should immediately upgrade to versions 4.10.2, 4.8.5 or 3.22.4 to mitigate the newly published CVEs affecting Apache Camel. Alternatively, implement custom header filtering using removeHeader or removeHeaders in Camel routes. Strong authentication on all HTTP endpoints is also highly recommended for security best-practices. Apache Camel supports the JSSE API for TLS or KeyCloak SSO solutions. Greenbone is able to detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by