CVE-2024-4577

What is PHP-CGI?

PHP is the world's most widely used server-side scripting language, powering a large fraction of the web including WordPress, Drupal, Joomla, and countless custom web applications. When PHP is deployed in CGI mode on Windows (as opposed to PHP-FPM or mod_php), the web server spawns the php-cgi.exe binary to handle requests. This mode is less common than mod_php but still present in legacy Windows IIS deployments and in XAMPP/WAMP development stacks. CVE-2024-4577 is specific to Windows deployments of PHP in CGI mode and does not affect Linux PHP installations in the same way.

Overview

CVE-2024-4577 is an OS command injection vulnerability in PHP-CGI on Windows that allows an unauthenticated remote attacker to execute arbitrary commands on the underlying server. It is a bypass of CVE-2012-1823, a PHP-CGI argument injection vulnerability from twelve years prior. Discovered by DEVCORE researcher Orange Tsai, the flaw exploits a Windows-specific character encoding behavior (Best-Fit mapping in certain code pages) that was not accounted for in the 2012 fix. Ransomware group TellYouThePass began active exploitation within 24 hours of the June 9, 2024 patch release. CISA added it to the KEV catalog three days later, with ransomware use confirmed.

Affected Versions

The vulnerability only affects Windows deployments of PHP running in CGI mode. PHP on Linux in CGI mode is not affected in the same way. PHP-FPM and mod_php deployments are not affected.

Technical Details

CWE-78 (OS Command Injection). In PHP-CGI mode, when a request is made to a PHP script, the web server invokes php-cgi.exe and passes the query string as command-line arguments. CVE-2012-1823 was a famous 2012 bug where argument injection via the query string allowed attackers to pass arbitrary arguments to php-cgi.exe — the 2012 fix added a check for a specific query-string pattern (-s, -d, etc.) and rejected requests matching it.

CVE-2024-4577 bypasses the 2012 fix via a Windows-specific behavior: Best-Fit character mapping. When Windows converts certain Unicode or multi-byte characters to the Windows code page (e.g., Shift-JIS for Japanese-locale Windows), some characters are silently remapped to ASCII equivalents. Specifically, a "soft hyphen" or similar Unicode character is remapped to a standard hyphen -, meaning an attacker can encode the blocked - prefix as a Unicode character that survives URL decoding but is transparently converted to - by Windows before reaching the PHP argument parser — bypassing the 2012 denylist check.

The injection allows an attacker to pass arbitrary PHP-CGI arguments including -d (ini directive override), which can enable allow_url_include and then use auto_prepend_file to execute attacker-supplied PHP code from a remote URL — achieving arbitrary code execution.

Discovery

Discovered by Orange Tsai of DEVCORE, a Taiwanese offensive security research firm known for high-impact web technology vulnerability research (previous work includes Exchange ProxyLogon, ProxyShell, and others). DEVCORE published detailed technical analysis alongside the June 9, 2024 patch release.

Exploitation Context

TellYouThePass ransomware — a ransomware group known for rapidly weaponizing newly disclosed web vulnerabilities — began active exploitation within 24 hours of the June 9 patch, deploying ransomware payloads on Windows servers running PHP in CGI mode. Additional threat actors, including APT groups, also exploited the vulnerability. Particularly affected environments included Japanese-locale Windows servers (due to the Shift-JIS code page triggering the Best-Fit mapping), XAMPP-based development servers accidentally exposed to the internet, and legacy IIS+PHP-CGI deployments. The three-day CISA KEV addition (June 12) was among the fastest in 2024, reflecting the severity and speed of exploitation.

Remediation

1. Upgrade PHP to 8.1.29, 8.2.20, or 8.3.8 (or later). PHP 7.x is end-of-life and will not receive an official patch — upgrade to PHP 8.x.
2. If PHP-CGI mode is in use on Windows, assess whether migration to PHP-FPM or mod_php is feasible — these modes are not affected and provide a better security posture.
3. As a temporary workaround, configure the web server (IIS, Apache) to block requests containing %ad and similar soft-hyphen encoded patterns in the query string before they reach PHP-CGI.
4. Review web server access logs for exploitation indicators: PHP-CGI requests with %AD or similar encoded patterns in the query string, or unusual auto_prepend_file or allow_url_include ini directives in request parameters.
5. Conduct a host compromise assessment on any Windows PHP-CGI servers that were internet-accessible before patching, given the rapid exploitation timeline.