A recently repaired PHP remote code execution vulnerability is being exploited to control the server. A vulnerability known as CVE-2019-11043 allows an attacker to execute commands on a vulnerable server by sending a specially crafted URL. The exploited PoC code has been released on GitHub.
Not all PHP Web servers are affected, but only NGINX and PHP-FPM-enabled servers.
PHP-FPM, represented by FastCGI Process Manager, is an alternative to PHP FastCGI, which is not a standard component of Nginx, but is part of the host chamber as part of a standard PHP managed environment.
One of the hosts, Nextcloud, has issued a security alert to customers urging them to upgrade to the latest PHP 7.3.11 and 7.2.24.