Menace intelligence firm GreyNoise warns {that a} vital PHP distant code execution vulnerability that impacts Home windows programs is now underneath mass exploitation.
Tracked as CVE-2024-4577, this PHP-CGI argument injection flaw was patched in June 2024 and impacts Home windows PHP installations with PHP operating in CGI mode. Profitable exploitation permits unauthenticated attackers to execute arbitrary code and results in full system compromise following profitable exploitation.
A day after PHP maintainers launched CVE-2024-4577 patches on June 7, 2024, WatchTowr Labs launched proof-of-concept (PoC) exploit code, and the Shadowserver Basis reported observing exploitation makes an attempt.
GreyNoise’s warning comes after Cisco Talos revealed earlier that an unknown attacker had exploited the identical PHP vulnerability to focus on Japanese organizations since at the least early January 2025.
Whereas Talos noticed the attackers trying to steal credentials, it believes their targets lengthen past simply credential harvesting, primarily based on post-exploitation actions, which embody establishing persistence, elevating privileges to SYSTEM degree, deployment of adversarial instruments and frameworks, and utilization of “TaoWu” Cobalt Strike package plugins.
New assaults develop to targets worldwide
Nonetheless, as GreyNoise reported, the menace actors behind this malicious exercise solid a a lot wider internet by concentrating on weak units globally, with important will increase noticed in the USA, Singapore, Japan, and different international locations since January 2025.
In January alone, its worldwide community of honeypots often called World Commentary Grid (GOG) noticed 1,089 distinctive IP addresses trying to take advantage of this PHP security flaw.
“Whereas preliminary stories targeted on assaults in Japan, GreyNoise information confirms that exploitation is way extra widespread [..] Greater than 43% of IPs concentrating on CVE-2024-4577 previously 30 days are from Germany and China,” the menace intelligence agency stated, warning that at the least 79 exploits can be found on-line.
“In February, GreyNoise detected a coordinated spike in exploitation makes an attempt towards networks in a number of international locations, suggesting extra automated scanning for weak targets.”
Beforehand, CVE-2024-4577 was exploited by unknown attackers who backdoored a college’s Home windows programs in Taiwan with newly found malware dubbed Msupedge.
The TellYouThePass ransomware gang additionally began exploiting the vulnerability to deploy webshells and encrypt victims’ programs lower than 48 hours after patches had been launched in June 2024.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how one can defend towards them.
