Register now for our Web Enablement Ecosystem webinar!

Knowledge Base

Security Alert: CVE-2024-4577 – PHP CGI Argument Injection Vulnerability

 
fastcgiphpphp versionsplesk phpreleases

Situation

  • Critical vulnerability CVE-2024-4577 has been identified in PHP, affecting all versions of PHP installed on the Windows operating systems below the next:

    • PHP 8.3: < 8.3.8
    • PHP 8.2: < 8.2.20
    • PHP 8.1 < 8.1.29

Impact

Potentially allow unauthenticated attackers to bypass previous protections and execute arbitrary code on remote PHP servers through an argument injection attack.

Status

The issue was investigated by our Security Team concluding that Plesk is not affected because:

  • For Windows it runs PHP in FastCGI mode and does not support the CGI mode.
  • Plesk supports CGI, but it does not put the php.exe or php-cgi.exe binaries into the /cgi-bin/ directories and does not expose PHP binaries to CGI in other ways (e.g. via web server configuration).

Therefore Plesk users are not susceptible to this PHP for Windows vulnerability. Nonetheless Plesk PHP versions will be updated to the corrected ones as usual on its upcoming releases.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2025 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit