A newly disclosed vulnerability could allow unauthorized attackers to hack your website server remotely. The main vulnerability is an “env_path_info” underflow memory corruption issue in the PHP-FPM module. The vulnerability was spotted by Andrew Danau, a security researcher at Wallarm while hunting for bugs in a Capture The Flag competition, which was then weaponized by two fellow researchers to develop a fully working remote code execution exploit. Users are strongly advised to update the latest PHP 7 and PHP 7.21124.
Source: https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html