tags:phpcommand_injection original link: No Way, PHP Strikes Again: CVE-2024-4577 newsletter link: exploits.club Weekly Newsletter 25


Exploits Club Summary:

 Last week @orange_8361 tweeted that PHP had fixed an RCE vulnerability he had reported. In the tweet, he included a short write-up with a bit more information. That seemed enough for the team over at Watchtowr, who released a blog post a few hours later, complete with a full RCA and exploit. The vulnerability itself stems from a mix-up in the unicode handling for command line arguments, resulting in an injection.