CVE-2024-4577 – PHP-CGI RCE Exploitation in Windows Servers

A newly identified cyber campaign has been actively targeting organizations across multiple sectors in Japan since January 2025. Threat actors of unknown origin have been exploiting CVE-2024-4577, a critical remote code execution (RCE) vulnerability in the PHP-CGI implementation of PHP on Windows, to gain unauthorized access to victim systems. This campaign has primarily impacted Japan’s technology, telecommunications, and e-commerce industries.

This blog explores the details of the vulnerability, its exploitation techniques, and the mitigation strategies organizations should adopt immediately.

CVE-2024-4577 – Risk Analysis

Severity:?Critical CVSSv3.0?:?Base Score: 9.8 Critical Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit available in public: Yes Exploit complexity: Low

First identified in early June 2024, this flaw has been actively exploited by threat actors, affecting PHP installations on Windows systems running in CGI mode. CVE-2024-4577 arises from improper handling of character encoding conversions when PHP operates in CGI mode on Windows systems. The issue is linked to Best Fit Mapping, a Windows feature that incorrectly translates certain Unicode characters.

Root Cause

• The vulnerability stems from the mapping of Soft Hyphen (0xAD) to Hyphen (0x2D) during Unicode processing.
• While Apache properly escapes 0x2D, it does not escape 0xAD.
• PHP applies a best-fit mapping, treating 0xAD as 0x2D, allowing attackers to inject command-line arguments.

This bug is a regression of CVE-2012-1823, an argument injection flaw patched over a decade ago.

Affected Systems

• PHP Versions:8.3.x (before 8.3.8)8.2.x (before 8.2.20)8.1.x (before 8.1.29)
• Default XAMPP Installations on Windows
• Windows Systems Running in Chinese and Japanese Locales
• Any Internet-Facing Windows Server Exposing php.exe or php-cgi.exe

Key Risk Factors

• Public exploit code available, making attacks easy to execute
• Widespread use of PHP in web applications
• Vulnerability actively exploited since early June 2024
• Impact on organizations running PHP in Windows environments with CGI mode enabled

How is CVE-2024-4577 Being Exploited?

Initial Access and Attack Execution

Attackers are leveraging this vulnerability to execute malicious PowerShell scripts, enabling the deployment of a Cobalt Strike reverse HTTP shellcode payload. This payload grants persistent remote access to compromised endpoints, setting the stage for further exploitation.

Following initial access, the attackers engage in reconnaissance, privilege escalation, and lateral movement using a variety of tools, including:

• JuicyPotato, RottenPotato, and SweetPotato – Exploiting privilege escalation vulnerabilities
• Fscan and Seatbelt – Conducting reconnaissance and security assessments

To maintain persistence, the attackers modify the Windows Registry, set up scheduled tasks, and deploy custom services via plugins of the Cobalt Strike kit, notably the ‘TaoWu’ framework.

Evading Detection and Credential Theft

In an effort to remain undetected, the attackers erase event logs using wevtutil commands, effectively wiping traces from Windows security, system, and application logs. Ultimately, they execute Mimikatz commands to extract and exfiltrate passwords and NTLM hashes from the victim’s memory, securing access to further sensitive information.

Command-and-Control (C2) Infrastructure

A deeper investigation into the attackers’ C2 servers, which are linked to the Cobalt Strike tool, uncovered misconfigurations that left directory listings exposed on the internet. This led to the discovery of several adversarial tools and frameworks hosted on Alibaba Cloud servers. Some of the notable tools include:

• Browser Exploitation Framework (BeEF) – A penetration testing tool that allows attackers to execute commands within a browser context.
• Viper C2 – A modular C2 framework designed for remote command execution and the generation of Meterpreter reverse shell payloads.
• Blue-Lotus – A JavaScript-based web shell and cross-site scripting (XSS) attack framework enabling attackers to steal browser cookies, capture screenshots, obtain reverse shell access, and create new CMS accounts.

Mitigation Strategies

1. Immediate Patching – organizations should upgrade to the latest PHP versions:

• PHP 8.3.8
• PHP 8.2.20
• PHP 8.1.29

1. Disable CGI Mode (If Unnecessary) – Modify Apache configurations to prevent execution of PHP in CGI mode. Restrict access to PHP executables (php.exe, php-cgi.exe).
2. Deploy Web Application Firewalls (WAFs) – Web Application Firewalls (WAFs) play a crucial role in mitigating the exploitation of CVE-2024-4577 by detecting and blocking malicious payloads in HTTP requests. By enabling command injection detection rules, WAFs can inspect incoming traffic for suspicious patterns associated with remote code execution attempts, preventing attackers from gaining unauthorized access to vulnerable PHP-CGI implementations.
3. Threat Hunting and Monitoring – Conduct retro-hunts to identify logs with suspicious query strings. Monitor network traffic for unusual activity, especially from known malicious IPs.

AppTrana WAAP Coverage for CVE-2024-4577

Organizations using AppTrana WAAP are automatically protected against exploitation attempts targeting CVE-2024-4577. The platform provides proactive security by enforcing real-time threat detection and mitigation measures, ensuring customers remain protected from such attacks from Day 0.

Beyond relying solely on software patches, the Indusface managed security team has developed specialized rules to detect and block injection vulnerabilities in PHP. These tailored security measures help prevent remote code execution attempts, blocking attackers before they can establish persistence or escalate privileges.

During proof-of-concept (PoC) simulations, AppTrana WAAP effectively blocked exploitation attempts targeting CVE-2024-4577, as demonstrated in the screenshot.

Stay tuned for more relevant and interesting security articles. Follow Indusface on?Facebook,?Twitter, and?LinkedIn.

Originally published at https://www.indusface.com on March 18, 2025.