Escalating Attacks Targeting CVE-2024-4577 in PHP-CGI for Windows

CVE-2024-4577 (CVSS 9.8 Critical) is currently climbing the winners’ podium of the most malicious security vulnerabilities. Disclosed in early June 2024 by Devcore security researchers, weaponization began within a mere 48 hours. It is a PHP-CGI OS Command Injection vulnerability [CWE-78] impacting PHP for Windows. Attacks distributing “TellYouThePass” ransomware were immediately observed and the CVE added to CISA’s KEV list (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency). Several months later, exploitation of CVE-2024-4577 suddenly continues to escalate.

Greenbone provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was released in June 2024. This allows defenders to identify affected systems across public-facing or internal network infrastructure. Let’s look deeper into the threat of CVE-2024-4577.

Exploiting CVE-2024-4577 for RCE and Lateral Movement

Proof of concept (PoC) exploit code and a full technical breakdown has long been published by watchTowr Labs, and a Metasploit module was also released in mid-2024. National CERT advisories have recently been issued by CERT New Zealand (CERT NZ) and the Canadian Center for Cyber Security. However, the flaw had already been alerted by CERT-EU, and CERT-FR (French Government CERT) back in June 2024.

Due to CVE-2024-4577, the PHP-CGI (Common Gateway Interface) may misinterpret certain characters as PHP options, which may allow a malicious user to pass options to the php.exe binary. This trick can reveal the source code of scripts or run arbitrary PHP code on the server. CVE-2024-4577 is considered a bypass of a long-ago patched vulnerability in PHP, CVE-2012-1823.

In the case that attackers gain initial access to a victim’s network through social engineering or a different software vulnerability, CVE-2024-4577 can provide an attacker with the opportunity for lateral movement, or covert persistence, penetrating deeper into a victim’s infrastructure and increasing the blast radius of a cyber attack.

A Brief Technical Explanation of CVE-2024-4577

In a nutshell, exploitation of CVE-2024-4577 works by leveraging Unicode character conversion to inject malicious command-line arguments to the php.exe process. On a high-level, web servers behave differently when CGI mode is enabled. A webserver will normally parse HTTP requests and pass them to a PHP script for processing. However, when CGI mode is enabled, attributes are extracted from the URL and passed as arguments to the executable PHP binary (php.exe on Windows). This PHP-CGI process is known to introduce distinct security risks.

Although PHP-GCI is supposed to sanitize shell meta characters (such as hyphens, double-hyphens, ampersands, and equal signs) before being passed, this still opens a pathway to command injection if attackers can find a way to bypass the sanitization process. PHP-CGI encoding was also the target of exploiting CVE-2012-1823. Furthermore, similar character encoding battles are continuously waged resulting in new ways for attackers to execute XSS and SQL injection vulnerabilities.

In the current iteration of this attack, using a soft hyphen (0xAD) instead of a standard hyphen (0x2D), attackers can initiate PHP directives to achieve Remote Code Execution (RCE). This is because Windows uses the UCS-2 character set, converts all characters to the UCS-2 code-point value and also executes an additional “best-fit” conversion. In the case of CVE-2024-4577, it is the best-fit schema that converts soft hyphens into standard hyphens. This allows injecting php.exe with arguments to prepend and execute the HTTP request body itself by adding the command “-d allow_url_include=1 -d auto_prepend_file=php://input” using URL encoded soft hyphens to the HTTP GET string. Soft hyphens are typically invisible UTF-8 characters used to specify locations word breaks, but only when necessary to fit the text on the line. Thanks to Windows’ best-fit conversion, they are effectively converted into command line flags.

CVE-2024-4577 is Being Leveraged Globally in 2025

According to new reports released in March 2025, attacks leveraging CVE-2024-4577 are ongoing,  widespread and escalating. Cisco detected exploitation of CVE-2024-4577 in January 2025, targeting Japanese education, ecommerce and telecommunications companies. After gaining initial access via PHP, attackers installed Cobalt Strike’s ‘TaoWu’ plugins and modified Windows registry keys to establish persistent access through scheduled tasks.

Another recent report from GreyNoise reveals that mass exploitation of CVE-2024-4577 has extended to targets in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain and Malaysia. Germany and China were reportedly the primary sources of attacks, accounting for 43% globally. GreyNoise also maintains a honeynet that detected over 1,089 unique IPs attempting exploitation in January 2025 alone, and counted 79 publicly available, specialized exploit kits. The cybersecurity firm warned of growing attack volume in February 2025, driven by automated scanning and signaling a rapidly escalating cyber threat.

Mitigation for CVE-2024-4577

CVE-2024-4577 affects all PHP versions (including PHP 5 and PHP 7 which are end-of-life) before 8.1.29, 8.2.20 and 8.3.8 on Windows. The best mitigation is to upgrade to a patched version with urgency. For environments where immediate patching isn’t feasible, defenders may disable the execution of PHP-CGI mode in favor of PHP-FPM (FastCGI Process Manager) or alternatively, utilize a web-application firewall (WAF) to filter and block exploitation attempts. PHP system administrators should also note several additional security risks associated with CGI and review them for optimal security.

Greenbone has provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was first disclosed in June 2024. This early detection capability allows defenders to identify affected systems across public facing or internal network infrastructure. Greenbone’s detection tests include remote version detections [1][2], and a remote active check [3].

Summary

CVE-2024-4577 is a critical PHP-CGI vulnerability affecting PHP installations on Windows, that allows remote code execution (RCE). The flaw was weaponized within 48 hours of disclosure and used in TellYouThePass ransomware attacks. According to reports from Cisco and GreyNoise, mass exploitation of CVE-2024-4577 has been escalating globally, and multiple national CERT advisories have been issued. Defenders need to identify where affected products are operating within their infrastructure, and immediately update to a fixed version of PHP, disable PHP-CGI completely or switch to PHP-FPM (FastCGI Process Manager).