Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.
Tracked as CVE-2024-4577, this PHP-CGI argument injection flaw was patched in June 2024 and affects Windows PHP installations with PHP running in CGI mode. Successful exploitation enables unauthenticated attackers to execute arbitrary code and leads to complete system compromise following successful exploitation.
A day after PHP maintainers released CVE-2024-4577 patches on June 7, 2024, WatchTowr Labs released proof-of-concept (PoC) exploit code, and the Shadowserver Foundation reported observing exploitation attempts.
GreyNoise’s warning comes after Cisco Talos revealed earlier that an unknown attacker had exploited the same PHP vulnerability to target Japanese organizations since at least early January 2025.
While Talos observed the attackers attempting to steal credentials, it believes their goals extend beyond just credential harvesting, based on post-exploitation activities, which include establishing persistence, elevating privileges to SYSTEM level, deployment of adversarial tools and frameworks, and usage of “TaoWu” Cobalt Strike kit plugins.
New attacks expand to targets worldwide
However, as GreyNoise reported, the threat actors behind this malicious activity cast a much wider net by targeting vulnerable devices globally, with significant increases observed in the United States, Singapore, Japan, and other countries since January 2025.
In January alone, its worldwide network of honeypots known as Global Observation Grid (GOG) spotted 1,089 unique IP addresses attempting to exploit this PHP security flaw.
“While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread [..] More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” the threat intelligence firm said, warning that at least 79 exploits are available online.
“In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.”
Previously, CVE-2024-4577 was exploited by unknown attackers who backdoored a university’s Windows systems in Taiwan with newly discovered malware dubbed Msupedge.
The TellYouThePass ransomware gang also started exploiting the vulnerability to deploy webshells and encrypt victims’ systems less than 48 hours after patches were released in June 2024.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
