EUVD-2025-19906
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3Tags
Description
A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor listens for base64-encoded PHP payloads in the Accept-Charset HTTP header of incoming requests, decodes and executes the payload without proper validation. This leads to remote code execution as the web server user, compromising the affected system.
Analysis
PHPStudy development environment versions 2016 through 2018 contain an embedded backdoor that executes arbitrary PHP code from HTTP request headers. The backdoor listens for base64-encoded payloads in the Accept-Charset header, decodes and executes them without any authentication, providing complete remote code execution on any server running the compromised PHPStudy.
Technical Context
PHPStudy bundles Apache+PHP+MySQL for Windows development. Versions 2016-2018 were distributed with a backdoor that intercepts every HTTP request and checks the Accept-Charset header for base64-encoded PHP code. If found, the code is decoded and executed via eval(). This affects every website hosted on the compromised PHPStudy installation.
Affected Products
['PHPStudy 2016', 'PHPStudy 2017', 'PHPStudy 2018']
Remediation
Reinstall PHPStudy from verified sources or migrate to XAMPP/WAMP. Never use PHPStudy in production. Audit servers that ran PHPStudy 2016-2018 for compromise indicators. Consider all data on affected servers as potentially exfiltrated.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today