CVE-2024-457 is a PHP-CGI vulnerability (CVSS score 9.8) resulting in RCE; it affects PHP-CGI implementations of PHP on Windows. The flaw enables an attacker to remotely execute malicious commands on compromised systems. The vulnerability is exacerbated on hosts using certain localizations, including Traditional Chinese, Simplified Chinese, and Japanese.
In June 2024, PHP developers released patches fixing CVE-2024-4577; shortly after that, WatchTowr Labs published a PoC exploit for this vulnerability; and information security specialists reported first attacks involving its exploitation.
According to Cisco Talos, unknown attackers have been exploiting CVE-2024-4577 since January 2025 in attacks targeting Japanese organizations.
The malefactors tried to steal credentials of attacked organizations, gain footholds in compromised systems, escalate their privileges to SYSTEM level, deploy various tools and frameworks, and use Cobalt Strike TaoWu plugins.
GreyNoise reports that cybercriminals behind this sophisticated malicious campaign are acting at a global scale with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
In the first month of 2025, the Global Observation Grid (GOG) detected 1,089 unique IP addresses used for CVE-2024-4577 exploitation.
“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in Singapore/Indonesia, UK/Spain/India. More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” – GreyNoise
According to GreyNoise, at least 79 exploits are currently available for CVE-2024-4577.
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →