cbcvebase.
CVE-2025-34061
published 2025-07-03

CVE-2025-34061: A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.17%
63.5th percentile
A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor listens for base64-encoded PHP payloads in the Accept-Charset HTTP header of incoming requests, decodes and executes the payload without proper validation. This leads to remote code execution as the web server user, compromising the affected system.

Affected

1 ranges
VendorProductVersion rangeFixed in
henan_xiaopi_security_technology_co_ltdphpstudy2016 – 2018

Detection & IOCsextracted from sources · hover to see the quote

headerAccept-Charset: base64-encoded PHP payload
  • Inspect HTTP requests for base64-encoded PHP code in the Accept-Charset header; any such request targeting a PHPStudy 2016–2018 installation is indicative of CVE-2025-34061 exploitation.
  • A Metasploit module exists for detection and exploitation of this backdoor; presence of this module's traffic patterns (multi/http/phpstudy_backdoor_rce) should be treated as an active exploitation attempt.
  • ·The backdoor is present in PHPStudy versions 2016 through 2018 only; installations outside this version range are not affected.
  • ·Code execution occurs in the context of the web server user, so impact scope depends on the privilege level of that account.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.