PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

Published Oct 28, 2019 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-04-15 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Classic Buffer Overflow (CWE-120) vulnerability in PHP FastCGI Process Manager (FPM). In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. Exploitation requires remote network access, higher attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running php: 7.1.0 ≤ v < 7.1.33, 7.2.0 ≤ v < 7.2.24, 7.3.0 ≤ v < 7.3.11; ubuntu linux: 12.04, 14.04, 16.04, 18.04, 19.04, 19.10; debian linux: 9.0, 10.0; fedora: 29, 30, 31; tenable.sc: v < 5.19.0; software collections: 1.0; enterprise linux: 8.0; enterprise linux desktop: 6.0, 7.0; enterprise linux eus: 7.7, 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux eus compute node: 7.7; enterprise linux for arm 64: 8.0_aarch64; enterprise linux for arm 64 eus: 8.1_aarch64, 8.2_aarch64, 8.4_aarch64, 8.6_aarch64, 8.8_aarch64; enterprise linux for ibm z systems: 6.0_s390x, 7.0_s390x, 8.0_s390x; enterprise linux for ibm z systems eus: 7.7_s390x, 8.1_s390x, 8.2_s390x, 8.4_s390x, 8.6_s390x, 8.8_s390x; enterprise linux for power big endian: 6.0_ppc64, 7.0_ppc64; enterprise linux for power big endian eus: 7.7_ppc64; enterprise linux for power little endian: 7.0_ppc64le, 8.0_ppc64le; enterprise linux for power little endian eus: 7.7_ppc64le, 8.1_ppc64le, 8.2_ppc64le, 8.4_ppc64le, 8.6_ppc64le, 8.8_ppc64le; enterprise linux for scientific computing: 7.0; enterprise linux server: 6.0, 7.0; enterprise linux server aus: 7.7, 8.2, 8.4, 8.6; enterprise linux server tus: 7.7, 8.2, 8.4, 8.6, 8.8; enterprise linux workstation: 6.0, 7.0

Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

Vendor advisory: https://bugs.php.net/bug.php?id=78599

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2019-11043

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11043

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2019-11043 ↗ NVD ↗ Vendor Advisory