Threat actors have started exploiting en masse a critical vulnerability in PHP that could allow remote code execution on vulnerable servers, threat intelligence firm GreyNoise warns.
The flaw, tracked as CVE-2024-4577 (CVSS score of 9.8), can be exploited on Windows servers that are using Apache and PHP-CGI, if they are set to use certain code pages, to inject arguments remotely and execute arbitrary code.
Because PHP’s implementation in Windows did not consider the ‘Best-Fit’ behavior that controls the conversion of Unicode characters to the closest matching ANSI characters, attackers could supply specific character sequences that, when converted, would be misinterpreted as PHP options by the php-cgi module.
CVE-2024-4577 was publicly disclosed in June 2024, and the first exploitation attempts, attributed to a ransomware gang, were observed only two days later.
Last week, Cisco warned that, since January 2025, the security defect has been exploited in a malicious campaign targeting Japanese organizations across the education, entertainment, ecommerce, technology, and telecommunications sectors.
As part of the attacks, the attackers execute tools to gain System privileges, modify registry keys and add scheduled tasks to achieve persistence, and create malicious services using plugins of the Cobalt Strike kit ‘TaoWu’.
Now, GreyNoise says that the exploitation of CVE-2024-4577 is not limited to Japan. In fact, notable activity spikes have been observed in the US, the UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain, and Malaysia as well.
“GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone,” the cybersecurity firm notes, warning that there are 79 publicly available exploits targeting the flaw.
Over the past month, more than 43% of the IPs used in attacks targeting CVE-2024-4577 were from Germany and China, and GreyNoise in February observed an increase in exploitation against systems worldwide, “suggesting additional automated scanning for vulnerable targets”.
CVE-2024-4577 impacts all versions of PHP on Windows, and was addressed in PHP versions 8.1.29, 8.2.20, and 8.3.8. Users are advised to update their installations as soon as possible.
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: Exploitation of Old ThinkPHP, OwnCloud Vulnerabilities Surges
Related: CISA Issues Exploitation Warning for .NET Vulnerability
Related: Exploitation of Over 700 Vulnerabilities Came to Light in 2024
