Vdesk Hangupphp3 Exploit Portable May 2026

In F5 systems, this script is triggered to terminate a local user session. You may be redirected to this page under several conditions: Manual Logout: A user intentionally ends their session.

Authentication Issues: In some configurations, invalid credentials or expired passwords can trigger a redirect here instead of returning a standard 401 error. Historical Vulnerabilities (Exploits) vdesk hangupphp3 exploit

Long-Term Fixes

| Solution | Effectiveness | |----------|---------------| | Upgrade vDesk to version 4.0+ (rewritten without pcntl signal hacks) | Complete | | Disable pcntl in PHP (disable_functions = pcntl_fork, pcntl_signal) | High | | Switch to Redis session handler (atomic operations) | High | | Apply web application firewall (WAF) rule blocking hangup.php3?sig_type=SIGHUP | Medium | | Migrate from PHP 3.x/5.x to PHP 8.x (built-in session hardening) | Required | In F5 systems, this script is triggered to

Exploit impact

  • Confidentiality: access to stored files, databases, credentials.
  • Integrity: modify application pages, plant backdoors, persist access.
  • Availability: destructive commands, ransomware, system resource exhaustion.
  • Reach: attacker can pivot to other hosts if credentials or SSH keys are present.
  1. They would send a crafted User-Agent header containing PHP code: 
    User-Agent: <?php system($_GET['cmd']); ?>
  2. The web server would log this User-Agent into access.log.
  3. Then, the attacker would call hangup.php3 with a path traversal pointing to the log file: 
    /vdesk/hangup.php3?sess=../../../../var/log/apache/access.log%00
  4. Because the include() executed the log file’s contents, the PHP code inside the User-Agent would run, giving the attacker a web shell.

Why the page /my.policy redirects users to /vdesk/hangup.php3 They would send a crafted User-Agent header containing

// VULNERABLE CODE - DO NOT USE
$session_id = $HTTP_GET_VARS['sess'];
$ticket_id = $HTTP_GET_VARS['ticket'];
include("/vdesk/sessions/sess_" . $session_id);
// ... then close the ticket

Vdesk Hangup PHP 3 Exploit: A Remote Code Execution Vulnerability

The BIG-IP APM intentionally redirects clients to this script in several scenarios: