PHP CVE-2024-4577 is a CVSS 9.8 argument-injection vulnerability in PHP-CGI on Windows that effectively reopens the 12-year-old CVE-2012-1823 hole. Devcore researcher Orange Tsai disclosed the issue on June 6, 2024, and within 48 hours multiple honeypots reported mass scanning and the TellYouThePass ransomware crew folded a weaponized PoC into their affiliate kit. The root cause is a mismatch between how Windows interprets multi-byte characters and how PHP's argument-escaping logic sanitizes the command line, and the practical impact is unauthenticated remote code execution against any PHP-CGI install on a Windows server running in affected locales.
What is the technical root cause of CVE-2024-4577?
The technical root cause of CVE-2024-4577 is a "best-fit" character mapping in Windows that converts certain Unicode characters into ASCII when the system is configured with specific Chinese, Japanese, or Traditional Chinese code pages, undoing the escaping PHP performs when building the command line passed to php-cgi.exe. The 2012 fix for CVE-2012-1823 was supposed to make a query string like ?-d+allow_url_include=1+-d+auto_prepend_file=php://input fail because PHP's CGI front-end now refuses query strings that look like options. That sanitizer escapes the dash character by mapping it to \-.
On a Windows host whose code page is 932 (Japanese), 936 (Simplified Chinese), or 950 (Traditional Chinese), the Win32 CreateProcess API performs its own best-fit conversion on the command line. Certain Unicode dash variants such as 0xAD (soft hyphen) survive PHP's escape layer because PHP does not consider them equivalent to the ASCII dash, but Windows's best-fit logic maps them to a literal - before the CGI binary sees them. The result is that the escaped string is "fixed" into a valid PHP option flag after escaping has already run, and the 2012 class of attacks works again.
Orange Tsai documented the exact code-path in the Devcore advisory, and PHP maintainers confirmed the analysis in the upstream fix notes. The patch replaces the naive escape with a stricter filter that rejects any character that Windows might map to a dash.
Which PHP versions and configurations are affected?
The affected configurations are PHP 8.3 prior to 8.3.8, PHP 8.2 prior to 8.2.20, and PHP 8.1 prior to 8.1.29 when deployed as CGI on Windows with a vulnerable locale. PHP 8.0 and 7.x reached end of life before the advisory but are vulnerable in the same configuration. Linux installs, Windows hosts running PHP in FastCGI process-manager mode, and Windows hosts running non-vulnerable locales (English, most European languages) are not directly exposed to the argument-injection chain, though the broader class of PHP-CGI hardening guidance still applies.
The practical distribution matters more than the abstract version list. XAMPP for Windows bundled vulnerable PHP-CGI with its default Apache configuration through its 8.0, 8.1, and 8.2 series. Any XAMPP install used for production (which PHP maintainers have long discouraged) was a ready-made target. PHP-CGI is also commonly enabled on older IIS installations that were never migrated to FastCGI, and on consumer-grade Japanese hosting panels that still ship with Shift-JIS locales.
Inventory questions every team should answer:
- Does any Windows host in the estate run
php-cgi.exeas a CGI handler rather than through FastCGI Process Manager - What is the active system locale on each such host
- Is XAMPP or a similar bundle installed on any developer workstation that is reachable from a corporate network
The third question is the one organizations miss most. Developer laptops with XAMPP exposed through weak firewall rules have been documented as initial-access footholds for opportunistic scanning campaigns.
How does the exploit chain work end-to-end?
The exploit chain works by sending a single HTTP request whose query string uses Unicode dash variants to smuggle PHP command-line options past the sanitizer. A minimal example from the Devcore writeup uses the soft hyphen followed by d allow_url_include=1 d auto_prepend_file=php://input, with the POST body containing the PHP code to execute. The Windows best-fit conversion turns each soft hyphen into a dash at process-creation time, PHP-CGI interprets the result as legitimate option flags, and auto_prepend_file is directed to read the request body and execute it as PHP before any requested script runs.
End-to-end flow reported publicly:
- Attacker issues a GET or POST request with a URL-encoded soft hyphen where PHP options would normally be rejected
- The web server passes the raw query string to
php-cgi.exe - Windows applies best-fit mapping and the CGI binary sees ASCII dashes
- PHP enables
allow_url_include, setsauto_prepend_file=php://input, and then evaluates the body as PHP - The PHP process executes with the service account of the web server
Public PoCs landed on GitHub within hours of disclosure. Honeypot operators Shadowserver and GreyNoise reported mass scanning by early the following week, and Imperva documented TellYouThePass ransomware operators using the CVE to drop loaders on Windows hosts around June 10, 2024.
What public detection IoCs did vendors and researchers publish?
Public detection IoCs center on request-path anomalies, process lineage, and ransom-note artifacts that vendors reported during the initial exploitation wave. As reported by Imperva, Cisco Talos, and Trend Micro in their post-disclosure writeups:
- HTTP requests whose query string contains URL-encoded
%AD(soft hyphen),%E2%80%93(en dash),%E2%80%94(em dash), or%80(non-breaking hyphen variants) followed byd+,D+, or variants that decode to PHP option flags - HTTP request bodies that begin with
<?phpon endpoints that do not normally accept raw PHP uploads php-cgi.exechild processes ofhttpd.exe,w3wp.exe, ornginx.exespawningcmd.exe,powershell.exe, orcertutil.exe- TellYouThePass campaign indicators reported by Imperva:
.lockedextensions on encrypted files andREADME.htmlransom notes dropped under the web root
Network-layer detection worked well for the first wave because attackers sent unmodified PoC strings. Later campaigns diversified their encodings, so signature-only defenses need to be paired with process-lineage monitoring on the Windows host itself.
What does the patch and hardening plan look like?
The patch plan is to upgrade PHP to 8.3.8, 8.2.20, or 8.1.29 or later and, independently, to stop using PHP-CGI as a handler. The PHP security team has said for more than a decade that mod_php and FastCGI Process Manager are the supported production deployment modes, and PHP-CGI is retained only for legacy compatibility. Any patching exercise for this CVE is a good trigger to migrate those workloads.
Hardening steps that reduce exposure independently of version:
- Disable
cgi.force_redirectbypass paths and ensure the web server does not exposephp-cgi.exeas a generic handler - Switch IIS handlers from PHP-CGI to PHP-FPM via the Microsoft-supported connector
- For XAMPP dev installs, bind Apache to localhost and block port 80 at the Windows firewall
- Treat any Windows host running CJK locales with PHP-CGI as exposed until proven otherwise
- Use a WAF rule that blocks non-ASCII characters in query strings on PHP endpoints as a compensating control until patches are deployed
Organizations that completed the FPM migration during the 2012 CVE cycle were unaffected by this incident. Those that had kept PHP-CGI running for a decade for a single legacy application typically discovered, during the 2024 patch cycle, that the legacy application no longer existed.
What are the supply chain implications?
The supply chain implications run through bundled distributions and third-party web-hosting panels. XAMPP, WampServer, Laragon, and similar developer bundles repackage PHP-CGI on Windows and historically lag upstream by weeks to months. Hosting panels such as Plesk for Windows and commercial Japanese panels frequently ship PHP-CGI as the default handler for historical reasons. Organizations whose vendor stack includes any of these products inherit the vulnerability timeline of the bundler, not the upstream PHP project.
Security-relevant questions to push to vendors whose products embed PHP on Windows:
- Does the product ship PHP-CGI, mod_php, or PHP-FPM
- What is the default locale on the bundled operating system image
- What is the vendor's SLA for propagating upstream PHP security patches
Several managed hosting providers issued customer advisories in June 2024 acknowledging that their Windows PHP-CGI customers needed manual intervention, not just vendor patching, because legacy configurations had been carried forward across version upgrades. That is a structural problem a CVE advisory alone cannot fix.
How Safeguard.sh Helps
Safeguard.sh inventories PHP-CGI deployments through 100-level dependency depth analysis that walks binary layers inside Windows images, XAMPP bundles, and third-party hosting-panel packages to surface every instance of php-cgi.exe and its locale configuration. Reachability analysis cuts 60 to 80 percent of findings by confirming which PHP installs are exposed through an HTTP entry point versus those sitting on isolated developer workstations, so patch prioritization reflects real exploit paths. Griffin AI autonomously generates migration plans from PHP-CGI to PHP-FPM on IIS and Apache, and proposes WAF rules that block Unicode dash encodings as an immediate compensating control. Container self-healing rebuilds PHP-bearing images against patched 8.3.8, 8.2.20, and 8.1.29 bases without manual pipeline intervention, and SBOM generation and ingest captures the mixed-version reality of PHP across bundled vendor products so third-party risk assessments reflect actual exposure.