Nasty PHP7 remote code execution bug exploited in the wild
Threat actors have begun exploiting a recently fixed remote code execution (RCE) vulnerability in PHP 7 in order to compromise vulnerable servers, researchers with Bad Packets are warning. The flaw, tracked as CVE-2019-11043, is very easy to exploit using proof-of-concept exploit code that was recently published on GitHub.
In order to exploit the issue, all an attacker has to do, is send a specially-crafted URL to a vulnerable server. The flaw does not affect all servers running PHP, but only NGINX servers running the non-standard PHP-FPM component.