Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

📟 News

Date: 12/03/2025

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024.

CVE-2024-457 is a PHP-CGI vulnerability (CVSS score 9.8) resulting in RCE; it affects PHP-CGI implementations of PHP on Windows. The flaw enables an attacker to remotely execute malicious commands on compromised systems. The vulnerability is exacerbated on hosts using certain localizations, including Traditional Chinese, Simplified Chinese, and Japanese.

In June 2024, PHP developers released patches fixing CVE-2024-4577; shortly after that, WatchTowr Labs published a PoC exploit for this vulnerability; and information security specialists reported first attacks involving its exploitation.

According to Cisco Talos, unknown attackers have been exploiting CVE-2024-4577 since January 2025 in attacks targeting Japanese organizations.

The malefactors tried to steal credentials of attacked organizations, gain footholds in compromised systems, escalate their privileges to SYSTEM level, deploy various tools and frameworks, and use Cobalt Strike TaoWu plugins.

GreyNoise reports that cybercriminals behind this sophisticated malicious campaign are acting at a global scale with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.

In the first month of 2025, the Global Observation Grid (GOG) detected 1,089 unique IP addresses used for CVE-2024-4577 exploitation.

“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in Singapore/Indonesia, UK/Spain/India. More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” – GreyNoise

According to GreyNoise, at least 79 exploits are currently available for CVE-2024-4577.

Related posts:
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →