Critical PHP 7 RCE Vulnerability Affects NGINX Servers
A critical remote code execution vulnerability, CVE-2019-11043, has been discovered in certain versions of PHP 7 running on NGINX with PHP-FPM enabled. Organizations are urged to patch their systems immediately to mitigate the risk.
The vulnerability allows attackers to execute system commands using crafted requests. Affected PHP versions include 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. Only NGINX servers with PHP-FPM enabled are at risk.
To protect against this, organizations should update their PHP versions to at least 7.2.24 or 7.3.11. It's also crucial to patch older NGINX versions, specifically those below 1.14.2 and some unpatched 1.16.x versions that have reached end of life. After patching, organizations should scan their systems with Qualys Web Application Scanning (WAS) using QIDs 150270 and 150271 to ensure the vulnerability has been eliminated.
Qualys Web Application Firewall (WAF) can also help mitigate this vulnerability using pre-written rules. Organizations are advised to implement these rules alongside patching and scanning to provide comprehensive protection against CVE-2019-11043.
Read also:
- Strengthening Defense against Multi-faceted menaces in the Age of Authority-driven Technology
- Industries Under Jeopardy Due to Multi-Accounting: Prevention Strategies Revealed in 2024
- Web3 Esports undergoes transformation as Aylab and CreataChain collaborate for a radical change
- Latest Tech Highlights: Top Gadgets of March 2025
