CVE-2024-457 is a PHP-CGI vulnerability (CVSS score 9.8) resulting in RCE; it affects PHP-CGI implementations of PHP on Windows. The flaw enables an attacker to remotely execute malicious commands on compromised systems. The vulnerability is exacerbated on hosts using certain localizations, including Traditional Chinese, Simplified Chinese, and Japanese.
In June 2024, PHP developers released patches fixing CVE-2024-4577; shortly after that, WatchTowr Labs published a PoC exploit for this vulnerability; and information security specialists reported first attacks involving its exploitation.
According to Cisco Talos, unknown attackers have been exploiting CVE-2024-4577 since January 2025 in attacks targeting Japanese organizations.
The malefactors tried to steal credentials of attacked organizations, gain footholds in compromised systems, escalate their privileges to SYSTEM level, deploy various tools and frameworks, and use Cobalt Strike TaoWu plugins.
GreyNoise reports that cybercriminals behind this sophisticated malicious campaign are acting at a global scale with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
In the first month of 2025, the Global Observation Grid (GOG) detected 1,089 unique IP addresses used for CVE-2024-4577 exploitation.
“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in Singapore/Indonesia, UK/Spain/India. More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” – GreyNoise
According to GreyNoise, at least 79 exploits are currently available for CVE-2024-4577.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →