SOC · 5 MIN READ · BEN NAHORNEY, MATT JASTRAM AND AARON WALTON · APR 8, 2025 · TAGS: Vulnerability management
TL;DR
- This month, we’re highlighting a common PHP vulnerability that was first identified in June 2024, but is still a CVE we’re witnessing in 2025
- Also, Microsoft has released 126 new CVEs for Patch Tuesday
- Use this blog as guide for managing vulnerabilities (both old and new)
Hello, and welcome to the April Patch Tuesday blog!
This month, we have 126 new CVEs in the release, including 11 marked as critical, and one zero-day. While those vulnerabilities are important, we continue to see cybercriminals exploit vulnerabilities years after they were identified. So this month, we’re also highlighting a vulnerability that has seen a recent uptick in activity: CVE-2024-4577, impacting servers running the PHP scripting language. Let’s jump in!
Patch Tuesday: April 8, 2025
There are several patches to take note of in this month’s release, including those covering remote code execution vulnerabilities in Office products, Microsoft’s native hypervisor, and Microsoft’s implementation of the Lightweight Directory Access Protocol (LDAP). However, we think the following vulnerabilities should be at the top of your prioritization list:
- Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2025-29824): The lone zero-day this month is located in the Window Common Log File System driver and could allow attackers to gain SYSTEM privileges on a compromised system. It does, however, require local access in order to execute it. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. It’s also worth noting that there are 37 current fixes for this vulnerability, so be sure to check which one applies to your environment.
- Windows Remote Desktop Services Remote Code Execution Vulnerabilities (CVE-2025-27480) and (CVE-2025-27482): These vulnerabilities lie within the Remote Desktop Gateway Service and appear to be difficult to leverage, where successful exploitation depends on the attacker winning a race condition. But if successful, a use-after-free scenario becomes available, allowing an attacker to execute arbitrary code remotely.
- Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2025-27472): This vulnerability has a relatively low CVSS score of 5.4, but we’ve noticed that Mark of the Web (MotW) vulnerabilities appear to be in vogue these days. MotW is a security feature within Windows that is used to identify executables downloaded from the internet, providing a user with a warning before executing the binary. This flaw could allow an attacker to bypass this feature and run code without the warning appearing.
Exploit tales: PHP
CVE-2024-4577 is a remote code execution vulnerability in the PHP scripting interpreter. This particular vulnerability impacts PHP installations on Windows running in common gateway interface (CGI) mode. CGI is a popular way to allow PHP servers to run code, albeit a depreciated one. Sites that still run CGI are likely depending on very old applications that are either too difficult to replace, or site maintainers lack the resources to address them. That’s where the risk comes in: if the CGI can be tricked, it can run any arbitrary commands provided by an attacker.
Exploitation of this vulnerability was first reported back when it was disclosed in June 2024. However, there have been several reports of an uptick in recent exploitation activity, and our SOC has also seen several incidents leveraging this vulnerability in the last month.
In one case, attackers targeted a public-facing, vulnerable instance of the popular XAMPP web server stack. The attacker sent specially crafted requests, tricking the server to run the following command:
Let’s break this command down to understand what’s happening when the PHP-CGI executable is being called.
- cgi-force_redirect=0 disables the default safety checks that normally prevent direct access to php-cgi.exe.
- cgi.redirect_status_env sets a redirect environmental variable for the purpose of configuring the server to handle their exploit code.
- allow_url_include=1 allows php-cgi.exe to access and load PHP code stored at remote URLs.
- auto_prepend-file=php://input sets PHP to run the attacker-supplied code when it loads a page. Normally, this command takes a file path, but in this case, it’s told to use the input it receives.
- Finally, the attacker sends a POST request with PHP code that they want to execute in the request body.
This set of commands told the server to run a new php-cgi.exe process with insecure settings and execute commands provided in the body of the web request. The attackers followed up by running several commands, attempting to carry out various actions. For instance, they attempted to get a list of users from the host, learn more about the server’s location, and find out what environmental variables were available. They also tried to execute files.
The resulting spawned processes were quickly identified by an endpoint detection and response (EDR) agent installed on the server. This is why it’s important to have defense in depth, especially for assets exposed to the internet. To enhance security, requests like these should be filtered through a Web Application Firewall (WAF) to identify and block suspicious requests. But if those requests do get through, it’s important to be able to identify this activity through other monitoring, like an EDR. To ensure security controls are implemented for these processes, we also recommend strong patching practices and regular software updates for the infrastructure.
In this case, CVE-2024-4577 bypasses a patch released for a previously disclosed vulnerability, CVE-2012-1823. This vulnerability still exists due to the age and lack of maintenance of the CGI process. Attempts to patch the vulnerability primarily function as guards, but when those guards are bypassed, the older vulnerabilities still expose the system to potential exploitation. And PHP in general is a prime target for attackers, given its popularity and exposure to the internet by its very nature of hosting web pages.
PHP’s popularity as an exploit target is evidenced by the number of unique IP addresses used by cybercriminals to leverage PHP vulnerabilities. In fact, across four vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalog focused on PHP alone, there are thousands of IP addresses actively targeting the vulnerabilities, according to telemetry from GreyNoise.
| CVE | Number of IP addresses |
|---|---|
|
CVE-2012-1823 |
1,925 |
|
CVE-2017-9841 |
3,589 |
|
CVE-2019-9082 |
2,032 |
| CVE-2024-4577 | 3,573 |
Interestingly, CVE-2024-4577 isn’t the most popular PHP exploit in our list. It’s narrowly beaten by CVE-2017-9841, a vulnerability in PHPUnit—a popular unit-testing framework used by several popular content management systems, such as WordPress and Drupal. The vulnerability resides within PHPUnit’s eval-stdin.php file. If an attacker sends an HTTP POST request to a vulnerable server calling the php://input wrapper, rather than the more secure php://stdin wrapper, they can run arbitrary code. This vulnerability has been a long-standing tool in malicious actor’s toolkits, and the industry has seen regular activity for many years.
Naturally, the best defense against these attacks is to patch PHP, along with popular PHP apps such as XAMPP. Review best practices for web servers against your current configurations. While features like CGI have had their benefits for PHP servers, the use of CGI is no longer the primary recommended means for running scripts. In fact, the PHP maintainers warn that CGI mode can open you to several vulnerabilities and caution against its use. Other methods for running code are recommended, such as PHP-FPM. These newer means provide more efficiency and up-to-date security compared to CGI.
It’s also important to maintain good software hygiene with your environment. If applications are no longer needed, be sure to remove them. In one case involving XAMPP exploitation, the organization decided that the software was no longer necessary and uninstalled it, mitigating the issue. There are also times when organizations evaluate a piece of software and decide that it’s just not for them. In these cases, it’s very important to remove the software after completing the evaluation.
That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, or you’d like to learn more about Expel Vulnerability Prioritization, which can provide further context for your environment, drop us a line.
