CVE-2024-4577: PHP CGI Argument Injection on Windows
How a locale-specific Windows character-mapping quirk bypassed a decade-old PHP security patch and triggered a ransomware wave within 24 hours of disclosure
CVE-2024-4577 is a critical argument injection vulnerability in PHP's CGI mode on Windows, disclosed by Devcore researcher Orange Tsai in June 2024. The flaw completely bypasses CVE-2012-1823 — a twelve-year-old patch meant to block exactly this class of attack — by exploiting a Windows Unicode character-mapping behavior that PHP's security check never anticipated. Exploitation requires no authentication, no user interaction, and no special knowledge of the target beyond the existence of a PHP-CGI endpoint. TellYouThePass ransomware operators had working attacks deployed against live targets before most administrators had read the advisory.
Root Cause: Windows Best-Fit Character Mapping
PHP's CGI mode passes URL query strings to the PHP binary as command-line arguments. CVE-2012-1823 attempted to block argument injection by stripping leading hyphens from query strings before passing them to php-cgi.exe. CVE-2024-4577 bypasses this entirely through a Windows-specific feature called 'best-fit' character encoding conversion.
When Windows converts Unicode characters to a legacy ANSI code page, it maps certain Unicode code points to their closest ASCII equivalents. The soft hyphen (U+00AD) is mapped to a regular hyphen (U+002D) during this conversion. PHP's CVE-2012-1823 check only filters standard ASCII hyphens — so an attacker passes a soft hyphen in the URL query string, Windows converts it to a real hyphen during CGI processing, and the resulting argument reaches php-cgi.exe as a valid flag.
This allows injection of PHP runtime directives such as `-d allow_url_include=1` and `-d auto_prepend_file=php://input`, enabling the attacker to prepend arbitrary PHP code to every request — full remote code execution from a single HTTP request.
Affected Versions and Exposure Surface
The vulnerability affects PHP running in CGI mode on Windows across three active branches: PHP 8.3 before 8.3.8, PHP 8.2 before 8.2.20, and PHP 8.1 before 8.1.29. End-of-life branches (8.0, 7.x, 5.x) were not patched and remain permanently vulnerable.
XAMPP installations were the highest-risk surface — XAMPP places php-cgi.exe in a web-accessible path by default and ships in CGI mode. Security researchers estimated tens of thousands of internet-exposed PHP-CGI endpoints based on Shodan scans taken shortly after disclosure. The character mapping quirk is most pronounced on Windows systems configured with Japanese, Traditional Chinese, or Simplified Chinese locales, but broader exploitation was observed across all Windows locale configurations with XAMPP defaults.
Exploitation Mechanics and Attack Chain
The full exploit is a single HTTP GET request. No multi-stage payload, no brute force, no credential material required.
Locate PHP-CGI Endpoint
Attacker identifies an internet-facing PHP-CGI endpoint — common paths include /php-cgi/php-cgi.exe or XAMPP default configurations accessible at the server root.
Craft Request with Soft Hyphen
GET request sent with query string containing U+00AD (soft hyphen, URL-encoded as %C2%AD or %AD) followed by PHP runtime flags: ?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
Windows Character Conversion
Windows best-fit mapping converts U+00AD to a standard hyphen (U+002D) during CGI argument processing — after PHP's hyphen-stripping check has already run.
PHP Argument Injection
php-cgi.exe receives -d allow_url_include=1 -d auto_prepend_file=php://input as valid flags; PHP reads and executes attacker code from the HTTP request body.
Code Execution and Payload Delivery
Arbitrary PHP executes as the web server user. TellYouThePass operators dropped a PHP webshell in the first stage, then deployed the ransomware binary encrypting files on the server.
TellYouThePass Ransomware Exploitation
Akamai's Security Intelligence Group confirmed active TellYouThePass ransomware campaigns exploiting CVE-2024-4577 within hours of the June 6, 2024 disclosure. Operators used the RCE to drop a PHP webshell for persistent access, then deployed the ransomware binary to encrypt files and drop ransom notes.
TellYouThePass is a veteran ransomware family active since 2019 that specifically hunts server-side vulnerabilities rather than phishing endpoints. It previously mass-exploited Log4Shell (CVE-2021-44228) with the same rapid-weaponization pattern. Its operators monitor vulnerability disclosure channels closely and maintain infrastructure pre-positioned to launch campaigns within hours of a public PoC.
Indicators of Compromise
Detection focuses on anomalous PHP-CGI argument patterns in web server logs and unusual process behavior.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Query strings containing %AD, %C2%AD, or raw U+00AD before PHP flag names | HTTP access log — URL query string | Filter web server logs for soft hyphen encoded variants in requests to php-cgi endpoints |
| php-cgi.exe spawning cmd.exe, powershell.exe, or wscript.exe as child processes | Process telemetry | PHP-CGI should never spawn shell processes — any such parent-child relationship indicates exploitation |
| Unexpected .php files created in web-accessible directories post-request | Filesystem — webshell artifact | TellYouThePass campaign characteristic; audit htdocs and wwwroot for new PHP files |
| Outbound network connections from php-cgi.exe to external IPs | Network telemetry | PHP-CGI establishing outbound connections is abnormal; indicates C2 callback or payload staging |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of urgency:
Update PHP immediately
Apply PHP 8.3.8+, 8.2.20+, or 8.1.29+. The patch adds best-fit character normalization to the argument sanitization logic so soft hyphens are stripped alongside standard hyphens. Verify the running version with php-cgi --version.
Switch from CGI mode to PHP-FPM
PHP-FPM (FastCGI Process Manager) does not expose the CGI argument injection surface. If your stack allows it, migrating to FPM eliminates this entire vulnerability class and is the recommended long-term configuration.
Restrict access to the php-cgi directory
For XAMPP: remove web accessibility of /php-cgi/ entirely using Apache's .htaccess or VirtualHost Deny directives. There is no legitimate reason for the php-cgi binary to be HTTP-accessible.
Block soft hyphen at the WAF
As an emergency compensating control, configure WAF rules to block requests containing %C2%AD or %AD in query strings targeting CGI endpoints. This buys time while patching is coordinated.
Remove end-of-life PHP versions
PHP 8.0, 7.x, and 5.x will not receive a CVE-2024-4577 patch. Any production system running these versions must migrate to a supported branch — they are permanently vulnerable.
The bottom line
CVE-2024-4577 is a masterclass in why 'patched twelve years ago' is not the same as 'safe forever.' A platform-specific quirk (Windows Unicode mapping) rendered a well-intentioned security fix completely ineffective on an entire OS. The sub-24-hour ransomware deployment window makes this one of the most aggressively exploited server-side vulnerabilities of 2024. Any PHP-CGI installation on Windows that was internet-facing during the disclosure window must be treated as potentially compromised.
Frequently asked questions
Does CVE-2024-4577 affect PHP on Linux or macOS?
No. The vulnerability is Windows-specific. It exploits a Windows character-encoding conversion behavior (best-fit mapping) that does not exist on Linux or macOS. PHP-CGI on those platforms is not affected by this bypass.
Is PHP-FPM affected by CVE-2024-4577?
No. CVE-2024-4577 only affects PHP running in CGI mode (php-cgi.exe). PHP-FPM uses a different execution model that does not expose the CGI argument injection surface and is not affected.
How do I check whether my server was exploited before patching?
Review web server access logs for requests to PHP-CGI endpoints containing %AD, %C2%AD, or the raw soft hyphen (U+00AD) in query strings. Also audit web-accessible directories for newly created .php files (webshells) and check for unexpected outbound network connections from the PHP process.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.