Saudi Press

Saudi Arabia and the world
Friday, Aug 22, 2025

Hackers are using a bug in PHP7 to remotely hijack web servers

Hackers are using a bug in PHP7 to remotely hijack web servers

The PHP programming language underpins much of the Internet. It forms the basis of popular content management systems like WordPress and Drupal, as well as more sophisticated web applications, like Facebook (kinda). Therefore, it’s a huge deal whenever researchers identify a security vulnerability within it.
A couple of days ago, Emil ‘Neex’ Lerner, a Russia-based security researcher, disclosed a remote-code execution vulnerability in PHP 7 – the latest iteration of the hugely popular web development language.

With this vulnerability, which has the CVE-ID of 2019-11043, an attacker could force a remote web server to execute their own arbitrary code simply by accessing a crafted URL. The attacker only needs to add “?a=” to the website address, followed by their payload.

As pointed out by Catalin Cimpanu in ZDNet, this attack drastically lowers the barrier to entry for hacking a website, simplifying it to the point where even a non-technical user could abuse it.

Fortunately, the vulnerability only impacts servers using the NGINX web server with the PHP-FPM extension. PHP-FPM is a souped-up version of FastCGI, with a few extra features designed for high-traffic websites.

While neither of those components are necessary to use PHP 7, they remain stubbornly common, particularly in commercial environments. Cimpanu points out that NextCloud, a large productivity software provider, uses PHP7 with NGINX and PHP-FPM. It’s since released a security advisory to clients urging them to update warning them of the issue and imploring them to update their PHP install to the latest version.

Site owners who are unable to update their PHP install can mitigate the problem by setting a rule within the standard PHP mod_security firewall. Instructions on how to do this can be found on the website of appsec startup Wallarm.

This vulnerability has all the hallmarks of a security perfect storm. Not only are multiple environments at risk, but it’s also trivially simple for an attacker to exploit the vulnerability. And while patches and workarounds currently exist, as we’ve witnessed previously, not everyone is particularly proactive with their security. Two-and-a-half years after the well-publicized Heartbleed OpenSSL bug was disclosed, over 200,000 servers remained vulnerable.

And there’s evidence to suggest that hackers are already exploiting this critical PHP issue. Threat intel firm BadPackets has already confirmed to ZDNet that bad actors are already using this vulnerability to commandeer servers.

Things are going to get worse before they get better.
Newsletter

Related Articles

Saudi Press
0:00
0:00
Close
Dogfights in the Skies: Airbus on Track to Overtake Boeing and Claim Aviation Supremacy
Tim Cook Promises an AI Revolution at Apple: "One of the Most Significant Technologies of Our Generation"
Are AI Data Centres the Infrastructure of the Future or the Next Crisis?
Miles Worth Billions: How Airlines Generate Huge Profits
Zelenskyy Returns to White House Flanked by European Allies as Trump Pressures Land-Swap Deal with Putin
Beijing is moving into gold and other assets, diversifying away from the dollar
Cristiano Ronaldo Makes Surprise Stop at New Hong Kong Museum
Zelenskyy to Visit Washington after Trump–Putin Summit Yields No Agreement
High-Stakes Trump-Putin Summit on Ukraine Underway in Alaska
Iranian Protection Offers Chinese Vehicle Shipments a Cost Advantage over Japanese and Korean Makers
Saudi Arabia accelerates renewables to curb domestic oil use
Cristiano Ronaldo and Georgina Rodríguez announce engagement
Asia-Pacific dominates world’s busiest flight routes, with South Korea’s Jeju–Seoul corridor leading global rankings
Private Welsh island with 19th-century fort listed for sale at over £3 million
Sam Altman challenges Elon Musk with plans for Neuralink rival
Australia to Recognize the State of Palestine at UN Assembly
The Collapse of the Programmer Dream: AI Experts Now the Real High-Earners
Armenia and Azerbaijan to Sign US-Brokered Framework Agreement for Nakhchivan Corridor
British Labour Government Utilizes Counter-Terrorism Tools for Social Media Monitoring Against Legitimate Critics
WhatsApp Deletes 6.8 Million Scam Accounts Amid Rising Global Fraud
Nine people have been hospitalized and dozens of salmonella cases have been reported after an outbreak of infections linked to certain brands of pistachios and pistachio-containing products, according to the Public Health Agency of Canada
Texas Residents Face Water Restrictions While AI Data Centers Consume Millions of Gallons
Tariffs, AI, and the Shifting U.S. Macro Landscape: Navigating a New Economic Regime
India Rejects U.S. Tariff Threat, Defends Russian Oil Purchases
United States Establishes Strategic Bitcoin Reserve and Digital Asset Stockpile
Thousands of Private ChatGPT Conversations Accidentally Indexed by Google
China Tightens Mineral Controls, Curtailing Critical Inputs for Western Defence Contractors
OpenAI’s Bold Bet: Teaching AI to Think, Not Just Chat
BP’s Largest Oil and Gas Find in 25 Years Uncovered Offshore Brazil
JPMorgan and Coinbase Unveil Partnership to Let Chase Cardholders Buy Crypto Directly
British Tourist Dies Following Hair Transplant in Turkey, Police Investigate
WhatsApp Users Targeted in New Scam Involving Account Takeovers
Trump Deploys Nuclear Submarines After Threats from Former Russian President Medvedev
Germany’s Economic Breakdown and the Return of Militarization: From Industrial Collapse to a New Offensive Strategy
IMF Upgrades Global Growth Forecast as Weaker Dollar Supports Outlook
Politics is a good business: Barack Obama’s Reported Net Worth Growth, 1990–2025
"Crazy Thing": OpenAI's Sam Altman Warns Of AI Voice Fraud Crisis In Banking
Japanese Prime Minister Vows to Stay After Coalition Loses Upper House Majority
President Trump Diagnosed with Chronic Venous Insufficiency After Leg Swelling
Man Dies After Being Pulled Into MRI Machine Due to Metal Chain in New York Clinic
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
"Can You Hit Moscow?" Trump Asked Zelensky To Make Putin "Feel The Pain"
Nvidia Becomes World’s First Four‑Trillion‑Dollar Company Amid AI Boom
Iranian President Reportedly Injured During Israeli Strike on Secret Facility
Kurdistan Workers Party Takes Symbolic Step Towards Peace in Northern Iraq
BRICS Expands Membership with Indonesia and Ten New Partner Countries
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
AI Raises Alarms Over Long-Term Job Security
Saudi Arabia Maintains Ties with Iran Despite Israel Conflict
Russia Formally Recognizes Taliban Government in Afghanistan
×