CVE-2025-34061
published 2025-07-03CVE-2025-34061: A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor…
PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.17%
63.5th percentile
A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor listens for base64-encoded PHP payloads in the Accept-Charset HTTP header of incoming requests, decodes and executes the payload without proper validation. This leads to remote code execution as the web server user, compromising the affected system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| henan_xiaopi_security_technology_co_ltd | phpstudy | 2016 – 2018 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect HTTP requests for base64-encoded PHP code in the Accept-Charset header; any such request targeting a PHPStudy 2016–2018 installation is indicative of CVE-2025-34061 exploitation. ↗
- →A Metasploit module exists for detection and exploitation of this backdoor; presence of this module's traffic patterns (multi/http/phpstudy_backdoor_rce) should be treated as an active exploitation attempt. ↗
- ·The backdoor is present in PHPStudy versions 2016 through 2018 only; installations outside this version range are not affected. ↗
- ·Code execution occurs in the context of the web server user, so impact scope depends on the privilege level of that account. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-03
Published