Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

CVE-2024-457 is a PHP-CGI vulnerability (CVSS score 9.8) resulting in RCE; it affects PHP-CGI implementations of PHP on Windows. The flaw enables an attacker to remotely execute malicious commands on compromised systems. The vulnerability is exacerbated on hosts using certain localizations, including Traditional Chinese, Simplified Chinese, and Japanese.

In June 2024, PHP developers released patches fixing CVE-2024-4577; shortly after that, WatchTowr Labs published a PoC exploit for this vulnerability; and information security specialists reported first attacks involving its exploitation.

According to Cisco Talos, unknown attackers have been exploiting CVE-2024-4577 since January 2025 in attacks targeting Japanese organizations.

The malefactors tried to steal credentials of attacked organizations, gain footholds in compromised systems, escalate their privileges to SYSTEM level, deploy various tools and frameworks, and use Cobalt Strike TaoWu plugins.

GreyNoise reports that cybercriminals behind this sophisticated malicious campaign are acting at a global scale with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.

In the first month of 2025, the Global Observation Grid (GOG) detected 1,089 unique IP addresses used for CVE-2024-4577 exploitation.

“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in Singapore/Indonesia, UK/Spain/India. More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” – GreyNoise

According to GreyNoise, at least 79 exploits are currently available for CVE-2024-4577.