CVE-2023-3824

CRITICAL EXPLOITED RANSOMWARE

PHP <8.0.30-8.2.8 - Buffer Overflow

Title source: llm

Exploitation Summary

CVE-2023-3824 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 3 public exploits from researchers including jhonnybonny, dadosneurais, bluefish3r.

AI-analyzed exploit summary This repository provides a functional PoC for CVE-2023-3824, demonstrating a buffer overflow vulnerability in PHP's Phar file handling. It includes code to create a malicious Phar file and trigger the overflow via directory operations.

Description

In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

Exploits (3)

nomisec WORKING POC 3 stars

by jhonnybonny · poc

https://github.com/jhonnybonny/CVE-2023-3824

View Code ZIP pw:eip

This repository provides a functional PoC for CVE-2023-3824, demonstrating a buffer overflow vulnerability in PHP's Phar file handling. It includes code to create a malicious Phar file and trigger the overflow via directory operations.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: PHP (versions affected by CVE-2023-3824)

No auth needed

Prerequisites: PHP installation with Phar extension enabled

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by dadosneurais · poc

https://github.com/dadosneurais/cve-2023-3824

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-3824, leveraging PHAR deserialization to achieve remote code execution (RCE). The exploit involves uploading a malicious PHAR file, which extracts a shell.php payload to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP (versions with PHAR deserialization vulnerability, e.g., PHP 8.0.29)

No auth needed

Prerequisites: PHP with phar.readonly disabled · Ability to upload files to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS

by bluefish3r · poc

https://github.com/bluefish3r/poc-cve

View Code ZIP pw:eip

The repository contains only a README with a link to an external Codeberg repository, providing no technical details or exploit code. This is characteristic of a social engineering lure.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Unknown

Reliability

Unknown

Target: unknown

Auth required

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv

Mailing List

https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230825-0001/

Scores

CVSS v3 9.4

EPSS 0.3177

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Details

VulnCheck KEV 2024-05-06

Ransomware Use Confirmed

CWE

CWE-119

Status published

Products (3)

debian/debian_linux 10.0

fedoraproject/fedora 38

php/php 8.0.0 - 8.0.30

Published Aug 11, 2023

Tracked Since Feb 18, 2026