Global surge in attacks exploiting critical PHP flaw

Threat intelligence also warns that at least 79 exploits are publicly available online.

Image:
Vulnerability CVE-2024-4577 is under mass exploitation

In January alone, GreyNoise's Global Observation Grid (GOG) honeypot network detected 1,089 unique IP addresses attempting to exploit the vulnerability.

A critical PHP remote code execution (RCE) vulnerability, CVE-2024-4577, impacting Windows systems running PHP in CGI mode, is now under mass exploitation worldwide, according to a warning issued by threat intelligence company GreyNoise.

This follows earlier reports of targeted attacks against Japanese organisations and the rapid weaponisation of the flaw by ransomware groups.

CVE-2024-4577, a PHP-CGI argument injection flaw patched by PHP maintainers on 7th June 2024, allows unauthenticated attackers to run arbitrary code, leading to complete system compromise.

The description of the vulnerability states: "In PHP versions 8.1 (before 8.1.29), 8.2 (before 8.2.20), 8.3 (before 8.3.8), when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behaviour to replace characters in command line given to Win32 API functions."

"PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."

The flaw specifically affects Windows PHP installations running in CGI mode.

GreyNoise's alert comes after Cisco Talos revealed last week that an unknown attacker had been exploiting CVE-2024-4577 to target Japanese entities since at least early January 2025.

The researchers revealed that once inside the system, the attacker deploys PowerShell scripts to execute a reverse HTTP shellcode using Cobalt Strike, a widely abused penetration testing framework.

Following successful exploitation, the attacker executes a series of post-exploitation activities using plugins from the publicly available Cobalt Strike kit, specifically a toolset known as "TaoWu."

These activities include:

  • Privilege Escalation: Exploiting known vulnerabilities using tools such as SweetPotato, JuicyPotato, and RottenPotato to gain SYSTEM-level access.
  • Persistence Mechanisms: Altering registry keys, adding scheduled tasks, and creating malicious services to maintain long-term access.
  • Log Erasure and Stealth Techniques: Deleting event logs using wevtutil commands to remove traces of unauthorised access.
  • Network Reconnaissance: Deploying "fscan.exe" and "Seatbelt.exe" to scan for lateral movement opportunities.
  • Abuse of Group Policy Objects (GPOs): Using "SharpGPOAbuse.exe" to run malicious PowerShell scripts across the compromised network.
  • Credential Theft: Running Mimikatz to extract passwords and NTLM hashes from system memory.

GreyNoise said threat actors are targeting vulnerable devices globally, with notable increases in exploitation activity observed in the United States, Japan, Singapore, and other countries since January 2025.

In January alone, GreyNoise's Global Observation Grid (GOG) honeypot network detected 1,089 unique IP addresses attempting to exploit the vulnerability.

"More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China," GreyNoise said.

The company also warns that at least 79 exploits are now publicly available online.

The threat landscape surrounding CVE-2024-4577 has evolved rapidly since its disclosure. WatchTowr Labs released proof-of-concept (PoC) exploit code just a day after the patches were issued in June 2024, and the Shadowserver Foundation immediately reported observing exploitation attempts.

Prior to the global surge, CVE-2024-4577 was also exploited by unknown attackers to backdoor a university's Windows systems in Taiwan with a newly discovered malware dubbed Msupedge.