Analysis Summary

Researchers have warned that a serious PHP security flaw (CVE-2024-4577) is now being widely exploited. This vulnerability affects Windows systems running PHP in CGI mode and allows attackers to execute any code remotely, leading to full system control. Although it was patched in June 2024, attackers quickly began exploiting it, with proof-of-concept (PoC) code released a day after the patch.

Researcher, reported that an unknown attacker has been using this flaw to target Japanese organizations since January 2025. Initially, the attacks focused on stealing credentials, but further activities suggest the attackers aimed for long-term access, privilege escalation, and deployment of hacking tools.

Researchers have observed a global increase in attacks, with major activity in the U.S., Singapore, and Japan. In January alone, over 1,000 unique IP addresses attempted to exploit this vulnerability, with most originating from Germany and China. February saw a coordinated rise in attacks across multiple countries, indicating automated scanning for vulnerable systems.

This vulnerability has been exploited in past incidents, including a university breach in Taiwan where attackers installed a backdoor. The TellYouThePass ransomware group also used it to deploy webshells and encrypt victims’ data within 48 hours of the patch release. With at least 79 exploit tools available online, the risk remains high for unpatched systems.

Impact

• Code Execution
• Credential Theft
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-4577

Remediation

• Update PHP installations to the latest patched version immediately PHP Website
• Disable PHP-CGI mode if not required.
• Restrict access to PHP-CGI by configuring web server settings properly.
• Implement firewall rules to block suspicious IP addresses attempting to exploit the vulnerability.
• Monitor network traffic for unusual activity, such as repeated exploitation attempts.
• Use endpoint detection and response (EDR) tools to detect and block malicious activities.
• Conduct regular vulnerability scans to identify and patch security flaws.
• Apply the principle of least privilege to limit user permissions and prevent privilege escalation.
• Isolate and investigate any compromised systems for signs of persistent threats.
• Educate employees about phishing and social engineering attacks that may be used in conjunction with this exploit.