Vulnerabilities ›

CVE-2019-11043

Critical 🇺🇸 CISA KEV ⚡ Exploit Available

PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability — In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers all

                    Published: Mar 25, 2022                                          ·  Source: CISA_KEV                

CVSS v3

9.0

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

CVE-2019-11043 is a critical buffer overflow vulnerability in PHP's FastCGI Process Manager (FPM) that allows remote code execution without authentication. When PHP-FPM is configured with specific nginx settings (particularly using PATH_INFO), attackers can craft malicious HTTP requests to overwrite memory buffers and execute arbitrary code. A public exploit (phuip-fpizdam) has been available since 2019, making this vulnerability actively exploitable. Organizations running vulnerable PHP-FPM configurations face complete server compromise.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 13, 2026 05:49

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses severe risk to Saudi organizations across multiple critical sectors. Government portals and e-services (Yesser, Absher, Etimad) running PHP-FPM with nginx are prime targets for nation-state actors and cybercriminals. Banking and financial institutions regulated by SAMA that host web applications on PHP stacks risk complete backend compromise, potentially exposing customer financial data and violating SAMA CSF requirements. Healthcare organizations using PHP-based patient portals and HIS systems face data breach risks under PDPL. Energy sector digital platforms including ARAMCO and SEC supplier portals built on PHP are at risk of supply chain attacks. Telecom providers (STC, Mobily, Zain) running PHP-based customer portals could face mass data exposure. Given Saudi Arabia's rapid digital transformation under Vision 2030, the prevalence of PHP-based web applications across government and private sectors significantly amplifies the attack surface.

🏢 Affected Saudi Sectors

Banking Government Healthcare Energy Telecom Education Retail Media

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS (within 24 hours):

1. Identify all servers running PHP-FPM with nginx using: grep -r 'fastcgi_split_path_info' /etc/nginx/

2. Check PHP version: php-fpm --version (vulnerable: PHP 7.1.x < 7.1.33, 7.2.x < 7.2.24, 7.3.x < 7.3.11)

3. Temporarily disable PATH_INFO processing in nginx if not required



PATCHING GUIDANCE:

1. Upgrade PHP to patched versions: 7.1.33+, 7.2.24+, or 7.3.11+

2. For PHP 5.x and 7.0.x (EOL): migrate to supported versions immediately

3. Apply OS vendor patches (RHEL, Ubuntu, Debian have backported fixes)



COMPENSATING CONTROLS:

1. Remove or modify vulnerable nginx configuration:

   - Remove: fastcgi_split_path_info ^(.+\.php)(/.*)$;

   - Add: fastcgi_param PATH_INFO $fastcgi_path_info; only if required

2. Add nginx rule to block requests with path traversal: if ($request_uri ~* "\.php/") { return 403; }

3. Deploy WAF rules to detect phuip-fpizdam exploit patterns

4. Implement network segmentation to restrict direct internet access to PHP-FPM ports

5. Enable PHP-FPM process isolation using chroot or containers



DETECTION RULES:

1. Monitor for HTTP requests containing multiple path separators before .php extension

2. SIEM alert: Unusual PHP-FPM process spawning or privilege escalation

3. IDS signature: Requests matching pattern '*.php/*' with abnormal query strings

4. Monitor /var/log/php-fpm/ for segmentation faults or unexpected crashes

5. Deploy Suricata/Snort rule: alert http any any -> $HTTP_SERVERS any (msg:"CVE-2019-11043 PHP-FPM RCE Attempt"; content:".php"; pcre:"/\.php\/[^\s]*\?[^\s]*=/i"; sid:2019110430;)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية (خلال 24 ساعة):

1. تحديد جميع الخوادم التي تشغل PHP-FPM مع nginx باستخدام: grep -r 'fastcgi_split_path_info' /etc/nginx/

2. التحقق من إصدار PHP: php-fpm --version (الإصدارات المعرضة للخطر: PHP 7.1.x < 7.1.33، 7.2.x < 7.2.24، 7.3.x < 7.3.11)

3. تعطيل معالجة PATH_INFO في nginx مؤقتاً إذا لم تكن مطلوبة

إرشادات التصحيح:

1. ترقية PHP إلى الإصدارات المُصححة: 7.1.33+ أو 7.2.24+ أو 7.3.11+

2. بالنسبة لـ PHP 5.x و7.0.x (منتهية الدعم): الترحيل فوراً إلى إصدارات مدعومة

3. تطبيق تصحيحات موردي نظام التشغيل (RHEL وUbuntu وDebian لديهم إصلاحات مُدمجة)

ضوابط التعويض:

1. إزالة أو تعديل تكوين nginx المعرض للخطر

2. إضافة قاعدة nginx لحظر الطلبات التي تحتوي على اجتياز المسار

3. نشر قواعد WAF للكشف عن أنماط استغلال phuip-fpizdam

4. تنفيذ تجزئة الشبكة لتقييد الوصول المباشر عبر الإنترنت إلى منافذ PHP-FPM

5. تمكين عزل عمليات PHP-FPM باستخدام chroot أو الحاويات

قواعد الكشف:

1. مراقبة طلبات HTTP التي تحتوي على فواصل مسار متعددة قبل امتداد .php

2. تنبيه SIEM: توليد عمليات PHP-FPM غير عادية أو تصعيد الامتيازات

3. توقيع IDS: الطلبات المطابقة لنمط '*.php/*' مع سلاسل استعلام غير طبيعية

4. مراقبة سجلات PHP-FPM بحثاً عن أخطاء التجزئة أو الأعطال غير المتوقعة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC-2-1: Cybersecurity Risk Management — unpatched critical RCE vulnerability ECC-3-3-3: Patch Management — failure to apply critical security patches ECC-3-3-6: Web Application Security — PHP-FPM misconfiguration enabling RCE ECC-3-3-1: Asset Management — identification of vulnerable PHP-FPM instances ECC-3-3-7: Vulnerability Management — critical vulnerability remediation timelines ECC-4-3-2: Incident Management — detection and response to active exploitation

🔵 SAMA CSF

3.3.7 Vulnerability Management — critical RCE vulnerability requiring immediate patching 3.3.6 Patch Management — PHP-FPM patch deployment across financial systems 3.3.5 Web Application Security — securing PHP-based banking portals 3.4.1 Cyber Incident Management — response to potential active exploitation 3.2.3 Network Security — compensating controls and segmentation 3.3.2 Secure Configuration Management — PHP-FPM and nginx hardening

🟡 ISO 27001:2022

A.8.8 Management of technical vulnerabilities — critical patch management A.8.19 Installation of software on operational systems — controlled PHP upgrades A.8.25 Secure development lifecycle — secure PHP-FPM configuration standards A.8.9 Configuration management — nginx and PHP-FPM secure baseline A.5.30 ICT readiness for business continuity — impact of server compromise A.8.16 Monitoring activities — detection of exploitation attempts

🟣 PCI DSS v4.0

Requirement 6.3.3 — All system components protected from known vulnerabilities via patching Requirement 6.2.4 — Software engineering techniques to prevent common vulnerabilities including buffer overflows Requirement 11.3.1 — Internal vulnerability scanning identifying PHP-FPM exposure Requirement 12.3.2 — Targeted risk analysis for unpatched critical vulnerabilities Requirement 6.4.1 — WAF deployment to protect public-facing web applications

🔗 References & Sources 0

No references.

📦 Affected Products / CPE 1 entries

PHP:FastCGI Process Manager (FPM)

📊 CVSS Score

9.0

/ 10.0 — Critical

📋 Quick Facts

Severity Critical

CVSS Score9.0

EPSS94.05%

Exploit ✓ Yes

Patch ✓ Yes

CISA KEV🇺🇸 Yes

KEV Due Date2022-04-15

Published 2022-03-25

Source Feed cisa_kev

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

🏷️ Tags

kev actively-exploited ransomware

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2019-11043

Introduce Yourself

Sign In Required