CVE-2024-4577 Critical Patch Available

CVE-2024-4577: PHP CGI — Argument Injection RCE on Windows

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2024-4577
CVSS Score 9.8
Severity Critical
Vendor PHP Group
Product PHP (CGI mode on Windows)
Patch Status Available
Published March 7, 2026

Background

PHP is the most widely used server-side scripting language for web development, powering an estimated 77% of websites with known server-side languages. While modern PHP deployments typically use PHP-FPM (FastCGI Process Manager), many Windows-based deployments — particularly those using XAMPP, WampServer, or similar LAMP/WAMP stacks — still use PHP in CGI mode.

CVE-2024-4577 is a critical argument injection vulnerability in PHP-CGI on Windows systems, discovered by Orange Tsai of DEVCORE and disclosed in June 2024. It is a regression and partial bypass of CVE-2012-1823, a 12-year-old PHP CGI vulnerability that was supposed to have been fixed. The root cause lies in how Windows handles certain Unicode character transformations (the “best-fit” feature in codepage conversion) — a Windows-specific issue that allows attackers to inject PHP command-line arguments via the URL.

Technical Mechanism

CVE-2024-4577 exploits the interaction between PHP’s CGI argument handling and Windows codepage Unicode character mapping.

Background — CVE-2012-1823 recap: In PHP CGI mode, if the URL does not contain specific characters, PHP treats the URL query string as command-line arguments. CVE-2012-1823 exploited this to pass -r <code> to the PHP interpreter, executing arbitrary code. The original fix added a check: if the URL query string begins with -, PHP refuses to treat it as arguments.

The CVE-2024-4577 bypass: On Windows, certain Unicode characters are mapped to their ASCII equivalents during codepage conversion (the “best-fit” character mapping feature). Specifically, in some East Asian codepages (including Japanese CP932/Shift-JIS, which is common in XAMPP installations):

  • The “soft hyphen” character (U+00AD, \xad) is mapped to the standard hyphen/minus (-, U+002D, \x2d) during codepage conversion

This means an attacker can send a URL with \xad (soft hyphen) instead of -, bypassing the check that looks for a literal -:

# Original CVE-2012-1823 attempt (blocked by the fix):
GET /php-cgi/php-cgi.exe?-r+system("id") HTTP/1.1

# CVE-2024-4577 bypass (soft hyphen \xad converted to - after check):
GET /php-cgi/php-cgi.exe?%ADr+system("id") HTTP/1.1
# \xad (%AD) is the soft hyphen; Windows codepage converts it to - AFTER the check

# Full exploit to execute arbitrary PHP:
GET /php-cgi/php-cgi.exe?%ADr+echo%20shell_exec('id')%3B HTTP/1.1
Host: target.example.com

The -r flag passed to php-cgi.exe as an argument causes PHP to execute the provided code string directly. This provides unauthenticated arbitrary PHP code execution.

The vulnerability only affects PHP running in CGI mode on Windows. PHP-FPM is not affected. The codepage dependency means that installations with certain East Asian locale settings (particularly Japanese) or XAMPP’s default configuration on Windows are most easily exploited, but the technique has been adapted for other locales as well.

Real-World Exploitation Evidence

Exploitation began within 24 hours of the June 6, 2024 advisory. Key exploitation campaigns documented:

  • Immediate mass exploitation: Akamai reported detecting over 1,000 exploitation attempts per hour within the first 24 hours.
  • TellYouThePass ransomware: Within days of advisory publication, the TellYouThePass ransomware group was confirmed exploiting CVE-2024-4577 to deploy ransomware on Windows web servers, particularly in Asia.
  • Coinminer deployment: Multiple coinminer campaigns exploited CVE-2024-4577 on exposed XAMPP/PHP-CGI Windows servers.
  • XAMPP targeting: XAMPP’s default configuration is particularly vulnerable; a large number of development, staging, and small business servers running XAMPP were targeted.
  • Web shells: Common post-exploitation activity included deploying PHP web shells for persistent access.

Impact Assessment

  • Unauthenticated PHP execution: Commands execute with the privileges of the web server process (typically the IIS service account or NETWORK SERVICE on Windows).
  • Web server compromise: Arbitrary PHP code execution on the web server enables file system access, database connections, and lateral movement.
  • Data exfiltration: Source code, database credentials stored in web application configuration files, and session data all become accessible.
  • XAMPP developer machines: Many XAMPP installations are on developer workstations, which may also contain credentials, source code, and access to internal systems.

Affected Versions

PHP VersionAffectedFixed Version
PHP 8.3< 8.3.88.3.8+
PHP 8.2< 8.2.208.2.20+
PHP 8.1< 8.1.298.1.29+
PHP 8.0All (EOL)Upgrade to 8.1+
PHP 7.xAll (EOL)Upgrade to 8.1+

Note: Only PHP installations running in CGI mode on Windows are vulnerable. PHP-FPM on Linux/Windows is not affected.

Remediation Steps

  1. Upgrade PHP: Update to the fixed versions. Download from php.net or update via your package manager.

  2. Switch from CGI to PHP-FPM (recommended architectural fix): CGI mode is deprecated and insecure. Migrate to PHP-FPM for better security and performance.

  3. XAMPP-specific mitigation: If XAMPP cannot be immediately updated, add URL rewrite rules in Apache’s .htaccess to block CGI argument injection:

    RewriteEngine On
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} (.*)([\x80-\xad\xb0-\xff])(.*) [NC]
RewriteRule .* - [F,L]

  4. Restrict PHP-CGI from internet access: If the application doesn’t require PHP-CGI to be web-accessible, remove the CGI handler or restrict access:

    <Files "php-cgi.exe">
    Require ip 127.0.0.1
</Files>

  5. Web Application Firewall rules: Deploy WAF rules blocking requests with %AD or other soft-hyphen variants in query strings.

Detection Guidance

Log sources:

  • IIS access logs: C:\inetpub\logs\LogFiles\
  • Apache (XAMPP) access logs: C:\xampp\apache\logs\access.log
  • Windows Event Logs for process creation

Suspicious request patterns in logs:

GET /php-cgi/php-cgi.exe?%AD
GET /cgi-bin/php-cgi.exe?%AD
GET /?%ADr+
POST /php?%AD

Windows process creation indicators (Event ID 4688):

  • php-cgi.exe spawning cmd.exe, powershell.exe, or wscript.exe

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"PHP CGI CVE-2024-4577 Argument Injection"; flow:established,to_server; http.uri; content:"php-cgi"; nocase; http.uri; pcre:"/[?&][\xad%][Rr]/"; sid:9002457; rev:1;)

Timeline

DateEvent
May 2024Orange Tsai (DEVCORE) discovers vulnerability
June 6, 2024PHP releases patched versions; advisory published
June 6, 2024CISA adds CVE-2024-4577 to KEV catalogue
June 7, 2024Mass exploitation begins; Akamai reports 1,000+ attempts/hour
June 8, 2024TellYouThePass ransomware exploitation documented
June 2024Multiple coinminer and web shell deployment campaigns

Tags

phpcgiargument-injectionrcewindowsxamppcisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco