### Key Information Summary #### Vulnerability Details - **Vulnerability Name**: CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam) - **CVSS v4 Severity**: 10.0/10 (Critical) - **CVE ID**: CVE-2026-27613 #### Impact - **Affected Versions**: <2.01 - **Fixed Version**: 2.01 - **Potential Impact**: - Source Code Disclosure - Remote Code Execution (RCE) #### Description - **Source Code Disclosure**: If `STRICT_CGI_PARAMS` is enabled (default setting), an attacker can send parameters starting with a hyphen (-). When using CGI handlers such as PHP, this can lead to source code disclosure. - **Remote Code Execution**: If `STRICT_CGI_PARAMS` is disabled, the server attempts to sanitize input using `cmd.exe` escaping conventions. However, due to differing quote escaping behaviors in native Win32 binaries like `msvcrt.dll`, an attacker can inject unescaped double quotes to break out of parameter quotes, resulting in RCE. #### Remediation and Recommendations - **Fixed Version**: 2.01; ensure immediate upgrade. - **Temporary Mitigations**: 1. Ensure `STRICT_CGI_PARAMS` is enabled. 2. Avoid using CGI executables that may accept dangerous command-line flags. 3. If PHP is deployed, consider configuring a Web Application Firewall (WAF) to block URL query string parameters that start with a hyphen or contain encoded double quotes (%22). #### References - Section 4 of RFC 3875 regarding CGI Version 1.1 - PHP-CGI Parameter Injection Security Advisory - Detailed security advisory page for CVE-2026-27613 #### CVSS v4 Base Metrics - **Attack Vector**: Network - **Attack Complexity**: Low - **Attack Requirements**: None - **Privileges Required**: None #### Users are strongly advised to upgrade immediately to the secure version 2.01.