CVE-2025-34061

Name of the Vulnerable Software and Affected Versions: PHPStudy versions 2016 through 2018

Description: A backdoor in PHPStudy allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor listens for base64-encoded PHP payloads in the Accept-Charset HTTP header of incoming requests, decodes and executes the payload without proper validation. This leads to remote code execution as the web server user, compromising the affected system.

Recommendations: For PHPStudy versions 2016 through 2018, consider disabling the acceptance of base64-encoded PHP payloads in the Accept-Charset HTTP header as a temporary workaround until a patch is available. Restrict access to the web server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.