CVE-2024-457 is a PHP-CGI vulnerability (CVSS score 9.8) resulting in RCE; it affects PHP-CGI implementations of PHP on Windows. The flaw enables an attacker to remotely execute malicious commands on compromised systems. The vulnerability is exacerbated on hosts using certain localizations, including Traditional Chinese, Simplified Chinese, and Japanese.
In June 2024, PHP developers released patches fixing CVE-2024-4577; shortly after that, WatchTowr Labs published a PoC exploit for this vulnerability; and information security specialists reported first attacks involving its exploitation.
According to Cisco Talos, unknown attackers have been exploiting CVE-2024-4577 since January 2025 in attacks targeting Japanese organizations.
The malefactors tried to steal credentials of attacked organizations, gain footholds in compromised systems, escalate their privileges to SYSTEM level, deploy various tools and frameworks, and use Cobalt Strike TaoWu plugins.
GreyNoise reports that cybercriminals behind this sophisticated malicious campaign are acting at a global scale with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
In the first month of 2025, the Global Observation Grid (GOG) detected 1,089 unique IP addresses used for CVE-2024-4577 exploitation.
“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in Singapore/Indonesia, UK/Spain/India. More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” – GreyNoise
According to GreyNoise, at least 79 exploits are currently available for CVE-2024-4577.
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →