CVE-2024-4577: PHP CGI Argument Injection on Windows
How a locale-specific Windows character-mapping quirk bypassed a decade-old PHP security patch and triggered a ransomware wave within 24 hours of disclosure

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2024-4577 is a critical argument injection vulnerability in PHP's CGI mode on Windows, disclosed by Devcore researcher Orange Tsai in June 2024. The flaw completely bypasses CVE-2012-1823, a twelve-year-old patch meant to block exactly this class of attack, by exploiting a Windows Unicode character-mapping behavior that PHP's security check never anticipated. Exploitation requires no authentication, no user interaction, and no special knowledge of the target beyond the existence of a PHP-CGI endpoint. TellYouThePass ransomware operators had working attacks deployed against live targets before most administrators had read the advisory.
Root Cause: Windows Best-Fit Character Mapping
PHP's CGI mode passes URL query strings to the PHP binary as command-line arguments. CVE-2012-1823 attempted to block argument injection by stripping leading hyphens from query strings before passing them to php-cgi.exe. CVE-2024-4577 bypasses this entirely through a Windows-specific feature called 'best-fit' character encoding conversion.
When Windows converts Unicode characters to a legacy ANSI code page, it maps certain Unicode code points to their closest ASCII equivalents. The soft hyphen (U+00AD) is mapped to a regular hyphen (U+002D) during this conversion. PHP's CVE-2012-1823 check only filters standard ASCII hyphens, so an attacker passes a soft hyphen in the URL query string, Windows converts it to a real hyphen during CGI processing, and the resulting argument reaches php-cgi.exe as a valid flag.
This allows injection of PHP runtime directives such as -d allow_url_include=1 and -d auto_prepend_file=php://input, enabling the attacker to prepend arbitrary PHP code to every request, full remote code execution from a single HTTP request.
Affected Versions and Exposure Surface
The vulnerability affects PHP running in CGI mode on Windows across three active branches: PHP 8.3 before 8.3.8, PHP 8.2 before 8.2.20, and PHP 8.1 before 8.1.29. End-of-life branches (8.0, 7.x, 5.x) were not patched and remain permanently vulnerable.
XAMPP installations were the highest-risk surface, XAMPP places php-cgi.exe in a web-accessible path by default and ships in CGI mode. Security researchers estimated tens of thousands of internet-exposed PHP-CGI endpoints based on Shodan scans taken shortly after disclosure. The character mapping quirk is most pronounced on Windows systems configured with Japanese, Traditional Chinese, or Simplified Chinese locales, but broader exploitation was observed across all Windows locale configurations with XAMPP defaults.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Exploitation Mechanics and Attack Chain
The full exploit is a single HTTP GET request. No multi-stage payload, no brute force, no credential material required.
Locate PHP-CGI Endpoint
Attacker identifies an internet-facing PHP-CGI endpoint, common paths include /php-cgi/php-cgi.exe or XAMPP default configurations accessible at the server root.
Craft Request with Soft Hyphen
GET request sent with query string containing U+00AD (soft hyphen, URL-encoded as %C2%AD or %AD) followed by PHP runtime flags: ?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
Windows Character Conversion
Windows best-fit mapping converts U+00AD to a standard hyphen (U+002D) during CGI argument processing, after PHP's hyphen-stripping check has already run.
PHP Argument Injection
php-cgi.exe receives -d allow_url_include=1 -d auto_prepend_file=php://input as valid flags; PHP reads and executes attacker code from the HTTP request body.
Code Execution and Payload Delivery
Arbitrary PHP executes as the web server user. TellYouThePass operators dropped a PHP webshell in the first stage, then deployed the ransomware binary encrypting files on the server.
TellYouThePass Ransomware Exploitation
Akamai's Security Intelligence Group confirmed active TellYouThePass ransomware campaigns exploiting CVE-2024-4577 within hours of the June 6, 2024 disclosure. Operators used the RCE to drop a PHP webshell for persistent access, then deployed the ransomware binary to encrypt files and drop ransom notes.
TellYouThePass is a veteran ransomware family active since 2019 that specifically hunts server-side vulnerabilities rather than phishing endpoints. It previously mass-exploited Log4Shell (CVE-2021-44228) with the same rapid-weaponization pattern. Its operators monitor vulnerability disclosure channels closely and maintain infrastructure pre-positioned to launch campaigns within hours of a public PoC.
Indicators of Compromise
Detection focuses on anomalous PHP-CGI argument patterns in web server logs and unusual process behavior.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Steps in order of urgency:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2024-4577 is a masterclass in why 'patched twelve years ago' is not the same as 'safe forever.' A platform-specific quirk (Windows Unicode mapping) rendered a well-intentioned security fix completely ineffective on an entire OS. The sub-24-hour ransomware deployment window makes this one of the most aggressively exploited server-side vulnerabilities of 2024. Any PHP-CGI installation on Windows that was internet-facing during the disclosure window must be treated as potentially compromised.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Does CVE-2024-4577 affect PHP on Linux or macOS?
No. The vulnerability is Windows-specific. It exploits a Windows character-encoding conversion behavior (best-fit mapping) that does not exist on Linux or macOS. PHP-CGI on those platforms is not affected by this bypass.
Is PHP-FPM affected by CVE-2024-4577?
No. CVE-2024-4577 only affects PHP running in CGI mode (php-cgi.exe). PHP-FPM uses a different execution model that does not expose the CGI argument injection surface and is not affected.
How do I check whether my server was exploited before patching?
Review web server access logs for requests to PHP-CGI endpoints containing %AD, %C2%AD, or the raw soft hyphen (U+00AD) in query strings. Also audit web-accessible directories for newly created .php files (webshells) and check for unexpected outbound network connections from the PHP process.
Which PHP versions received patches for CVE-2024-4577, and which did not?
PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29 all received patches for CVE-2024-4577 released June 6, 2024. End-of-life PHP branches including PHP 8.0.x, PHP 7.x, and PHP 5.x did not receive a patch and remain permanently vulnerable on Windows. Organizations running these EOL versions must upgrade to a supported branch (PHP 8.1+) before the patch can be applied, a migration requirement that significantly increases the remediation burden for sites with legacy codebases.
Why did the CVE-2012-1823 patch fail to protect against CVE-2024-4577?
CVE-2012-1823 added a check that stripped leading hyphens from PHP-CGI query string arguments to prevent command injection. That check only matched standard ASCII hyphens (U+002D). CVE-2024-4577 bypasses it by using a soft hyphen (U+00AD), a different Unicode code point that Windows converts to a standard hyphen via best-fit character mapping during CGI processing, after PHP's hyphen-stripping check has already run. The security check never anticipated this Windows-specific Unicode conversion behavior because the original vulnerability and its fix predated this analysis of Windows character encoding.
What is XAMPP and why was it especially exposed to CVE-2024-4577?
XAMPP is a free, open-source Apache distribution for Windows bundling PHP, MySQL, and Perl, commonly used for local development and some production deployments. XAMPP installs PHP in CGI mode by default and places the php-cgi.exe binary in a web-accessible directory path (typically /xampp/php/). This configuration meant that any internet-facing XAMPP installation was directly exploitable via CVE-2024-4577 without any additional misconfiguration. Security researchers estimated XAMPP was the single largest contributor to the pool of vulnerable PHP-CGI endpoints visible from the internet at the time of disclosure.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
