diff --git a/NEWS b/NEWS
index 79453e282ea..050c222fcab 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,8 @@ PHP                                                                        NEWS
   . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
   . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
   . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
+  . Fixed bug #77428 (mb_ereg_replace() doesn't replace a substitution
+    variable). (Nikita)
 
 - MySQLnd:
   . Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 85219b00e4f..cc96e04f39f 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -791,7 +791,9 @@ static inline void mb_regex_substitute(
 				no = onig_name_to_backref_number(regexp, (OnigUChar *)name, (OnigUChar *)name_end, regs);
 				break;
 			default:
-				p += clen;
+				/* We're not treating \ as an escape character and will interpret something like
+				 * \\1 as \ followed by \1, rather than \\ followed by 1. This is because this
+				 * function has not supported escaping of backslashes historically. */
 				smart_str_appendl(pbuf, sp, p - sp);
 				continue;
 		}
diff --git a/ext/mbstring/tests/bug77428.phpt b/ext/mbstring/tests/bug77428.phpt
new file mode 100644
index 00000000000..f153412acbd
--- /dev/null
+++ b/ext/mbstring/tests/bug77428.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #77428: mb_ereg_replace() doesn't replace a substitution variable 
+--FILE--
+<?php
+
+// This behavior is broken, but kept for BC reasons
+var_dump(mb_ereg_replace('(%)', '\\\1', 'a%c'));
+// For clarify, the above line is equivalent to:
+var_dump(mb_ereg_replace('(%)', '\\\\1', 'a%c'));
+
+?>
+--EXPECT--
+string(4) "a\%c"
+string(4) "a\%c"