Ethical Hacking News
Security experts have sounded the alarm on a critical PHP flaw (CVE-2024-4577) that has been exploited by multiple threat actors around the world, resulting in a mass exploitation of this vulnerability. Experts warn that organizations must take immediate action to update their installations and implement robust security measures to prevent further exploitation.
The critical PHP-CGI OS Command Injection Vulnerability (CVE-2024-4577) has been exploited by multiple threat actors worldwide. Over 1,089 unique IPs have been detected exploiting the flaw in January 2025 alone. The vulnerability allows attackers to bypass protections for a previous vulnerability and deliver malware families. The attacks have been observed on multiple platforms, including Windows, Linux, and macOS. Security experts advise organizations with internet-facing Windows systems exposing PHP-CGI to take immediate action and update their installations as soon as possible. A surge in activity associated with other PHP-CGI vulnerabilities is expected in the near future.
In a worrying turn of events, security experts have sounded the alarm on a critical vulnerability in PHP that has been exploited by multiple threat actors around the world. The vulnerability, tracked as CVE-2024-4577 (CVSS 9.8), is a PHP-CGI OS Command Injection Vulnerability that allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. This has resulted in an unprecedented level of exploitation, with threat actors attempting to exploit the flaw on a massive scale.
The vulnerability was first disclosed and publicized in June 2024, at which point multiple threat actors began exploiting it to deliver malware families, including Gh0st RAT, RedTail cryptominers, and XMRig. Since then, the number of attacks has continued to escalate, with GreyNoise researchers detecting over 1,089 unique IPs exploiting CVE-2024-4577 in January 2025 alone.
The attack vectors used by threat actors are diverse, with attackers targeting organizations in multiple regions, including the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, and Spain. The attacks have also been observed on multiple platforms, including Windows, Linux, and macOS.
GreyNoise researchers have warned that the exploitation of CVE-2024-4577 extends far beyond initial reports, with attack attempts observed across multiple regions. The company urges users to update their installations as soon as possible, as well as identify and block malicious IPs actively targeting CVE-2024-4577.
The vulnerability is particularly concerning due to its ease of exploitation. According to GreyNoise researchers, an unauthorized attacker can directly execute arbitrary code on the remote server when the Windows operating system is running in Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), or Japanese (Code Page 932). For Windows running in other locales, such as English, Korean, and Western European, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.
As a result of the ongoing attacks, security experts are advising organizations with internet-facing Windows systems exposing PHP-CGI to take immediate action. This includes following the guidance provided by Cisco Talos and performing retro-hunts to identify similar exploitation patterns. It is also recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version.
In addition to the mass exploitation of CVE-2024-4577, security experts are also warning about the potential for other related vulnerabilities to be exploited in the coming weeks and months. With multiple threat actors already exploiting this vulnerability, it is likely that we will see a surge in activity associated with other PHP-CGI vulnerabilities in the near future.
The recent exploitation of CVE-2024-4577 serves as a stark reminder of the ongoing cybersecurity threats facing organizations around the world. As technology continues to evolve and become increasingly interconnected, the risk of exploitation through vulnerabilities such as this one will only continue to grow.
In light of these developments, it is essential that organizations take proactive steps to protect themselves against this threat. This includes staying up-to-date with the latest security patches, conducting regular vulnerability assessments, and implementing robust security measures to prevent exploitation.
The cybersecurity landscape has never been more complex or dynamic, and it is crucial that we are prepared for the evolving threats that come our way. By staying informed and taking proactive steps to protect ourselves, we can reduce the risk of being exploited by threat actors like these.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Mass-Exploitation-of-PHP-Flaw-CVE-2024-4577-A-Global-Cybersecurity-Threat-ehn.shtml
https://securityaffairs.com/175198/hacking/experts-warn-of-mass-exploitation-of-critical-php-flaw-cve-2024-4577.html
https://www.pcrisk.com/removal-guides/12964-xmrig-virus
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/
Published: Mon Mar 10 11:00:54 2025 by llama3.2 3B Q4_K_M
