PHP Under Attack
A critical PHP vulnerability, CVE-2024-4577, affecting Windows-based PHP installations, has been actively exploited worldwide since its disclosure in June 2024. Initially believed to be primarily targeting Japan, recent telemetry from GreyNoise confirms that mass exploitation has extended to multiple countries, including the United States, United Kingdom, Singapore, Germany, and India. The vulnerability enables remote code execution (RCE), making it a significant threat to compromised systems. Cisco Talos recently reported that an unknown threat actor leveraged CVE-2024-4577 for initial access in targeted attacks against Japanese organizations in the telecom, technology, and education sectors, using Cobalt Strike’s TaoWu plug-ins for post-exploitation activities.
GreyNoise’s data indicates that the vulnerability has been exploited at a large scale, with notable attack spikes occurring in January and February 2025. The company observed 1,089 unique IP addresses launching attacks in January alone, with more than 40% of these originating from Germany and China. Attackers appear to be conducting automated scans for vulnerable targets, suggesting a coordinated effort behind the increasing number of incidents.
Security researchers warn that exploitation of CVE-2024-4577 is not limited to credential theft but could also involve privilege escalation and long-term persistence, potentially leading to more sophisticated cyber intrusions. The widespread nature of these attacks underscores the importance of patching vulnerable PHP installations, strengthening network monitoring, and implementing proactive security measures to mitigate the risk of compromise.
Wright, Rob. 2025. “Critical PHP Vulnerability Under Widespread Cyberattack.” Cybersecurity Dive. Mar. 10.
READ: https://bit.ly/4l1M71S
