Experts Warn of Mass Exploitation of Critical PHP Flaw CVE-2024-4577

A critical vulnerability in the widely used PHP programming language has left experts warning of a large-scale exploitation. GreyNoise researchers have confirmed that threat actors are exploiting the flaw, tracked as CVE-2024-4577 (CVSS 9.8), to achieve remote code execution on vulnerable servers using Apache and PHP-CGI.

The vulnerability, a PHP-CGI OS Command Injection Vulnerability, resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit this flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. This allows attackers to inject arbitrary code into remote PHP servers, giving them control over vulnerable systems.

Since its public disclosure and availability of a Proof-of-Concept (PoC) exploit code, multiple threat actors have been attempting to exploit this vulnerability. In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-4577 to its Known Exploited Vulnerabilities (KEV) catalog, citing its critical nature.

In July 2024, the Akamai Security Intelligence Response Team (SIRT) warned that multiple threat actors were exploiting this PHP vulnerability to deliver malware families, including Gh0st RAT, RedTail cryptominers, and XMRig. The speed at which threat actors exploited this new vulnerability has been remarkable, with Akamai reporting exploit attempts on their honeypot network just 24 hours after its disclosure.

GreyNoise researchers have also reported malicious attempts to exploit CVE-2024-4577. They warn that the flaw can be used to execute arbitrary code on remote servers when Windows is running in specific locales, such as English, Korean, and Western European.

"As of this writing, it has been verified that when the Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server: For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios."

GreyNoise recommends that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security. Akamai researchers also observed threat actors behind the DDoS botnet Muhstik exploiting this vulnerability.

Last week, Cisco Talos researchers reported that an unknown threat actor has been exploiting this flaw since as early as January 2025, predominantly targeting organizations in Japan. However, GreyNoise researches confirm that the large-scale exploitation of CVE-2024-4577 is not limited to Japanese entities.

The experts observed a surge in attacks against multiple regions, including the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, and Spain. "GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports," reads the advisory. "Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025."

GreyNoise detected 1,089 unique IPs exploiting CVE-2024-4577 in January 2025, with attacks spreading beyond Japan to Singapore, Indonesia, the UK, Spain, and India. Over 43% of attacks originate from Germany and China.

In February, a coordinated spike in global exploitation suggested increased automated scanning for vulnerable systems. The company urges users to update their installations as soon as possible.

What You Can Do

"Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns," concludes GreyNoise. "Identify and block malicious IPs actively targeting CVE-2024-4577."

Stay safe online by staying informed about the latest vulnerabilities and threats. Follow us on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, PHP-CGI OS Command Injection Vulnerability) for the latest security news and updates.