Listen to this Post
In an alarming new development, threat actors have begun exploiting a critical vulnerability in PHP that could allow remote code execution on vulnerable servers. The flaw, identified as CVE-2024-4577, poses significant risks to servers running Apache and PHP-CGI on Windows systems. With a high CVSS score of 9.8, this vulnerability allows attackers to inject malicious arguments remotely, potentially executing arbitrary code.
the CVE-2024-4577 Vulnerability
The vulnerability in question, CVE-2024-4577, is primarily affecting Windows servers running Apache with PHP-CGI configured to certain code pages. If these servers fail to address the misinterpretation of specific character sequences, attackers can inject commands that exploit the flaw. This issue stems from how PHP’s implementation on Windows doesn’t properly handle the ‘Best-Fit’ behavior, leading to a mismatch when converting Unicode characters to ANSI.
First disclosed publicly in June 2024, CVE-2024-4577 quickly became a target for attackers. Within two days of its public release, ransomware gangs were observed exploiting the flaw. Cisco further reported that by January 2025, the vulnerability had been actively exploited in a campaign against various Japanese organizations, including those in education, telecommunications, and ecommerce sectors.
The attackers behind these campaigns deploy tools to escalate system privileges, modify registry keys, and set up scheduled tasks to ensure persistence. They also use malicious plugins from the Cobalt Strike kit, specifically “TaoWu,” to facilitate their attacks.
GreyNoise, a threat intelligence firm, has observed a significant uptick in exploitation attempts worldwide. While initially attributed to Japan, the attacks have since spread to the US, UK, Singapore, and several other countries. The firm’s Global Observation Grid (GOG), a network of honeypots, detected over 1,000 unique IPs attempting to exploit the vulnerability in January 2025 alone.
The severity of CVE-2024-4577 is underscored by the fact that there are currently 79 publicly available exploits targeting the flaw. GreyNoise’s observations indicate that over 43% of attacks originated from Germany and China. The increasing frequency of these attacks points to an automated scanning operation looking for vulnerable targets.
The vulnerability affects all versions of PHP running on Windows systems. It has been patched in PHP versions 8.1.29, 8.2.20, and 8.3.8. Users are strongly urged to update their PHP installations to protect their servers from potential exploits.
What Undercode Says:
CVE-2024-4577 stands as a reminder of the persistent and evolving threats that developers and organizations face today. As global networks become more interconnected, vulnerabilities in widely-used software like PHP become increasingly attractive targets for malicious actors. The exploitation of this particular vulnerability is a textbook case of how flaws in server-side programming can lead to severe compromises in system security.
From a technical perspective, the root cause of CVE-2024-4577 lies in PHP’s handling of character encoding on Windows. The failure to correctly implement Unicode-to-ANSI conversion results in a flaw that attackers can easily weaponize. This highlights the importance of rigorous testing and validation when deploying software on different platforms, especially when dealing with internationalization and character encoding.
The exploitation timeline reveals an alarming trend: even though the flaw was publicly disclosed in mid-2024, it wasn’t long before ransomware groups began leveraging it. This demonstrates that threat actors are quick to capitalize on publicly known vulnerabilities, which can lead to widespread damage before patches are applied. The fact that exploitation spread to numerous sectors in Japan further exemplifies how such vulnerabilities can be weaponized in targeted campaigns.
One of the most concerning aspects of this issue is the global reach of the attacks. While the initial focus was on Japan, exploitation attempts have now been observed across multiple regions, including the US, UK, and several Asian countries. This wide geographical spread suggests that attackers are scanning the internet for vulnerable systems at a much larger scale, using automated tools to identify potential targets quickly.
The numbers provided by GreyNoise are particularly troubling. Over 1,000 unique IPs attempting to exploit the flaw in just one month is a clear indicator of the vulnerability’s attractiveness to attackers. Moreover, the rise in exploitation activities following the initial discovery of the flaw suggests that attackers are not only aware of it but are actively scanning for vulnerable systems, ramping up their efforts over time.
In response to this growing threat, PHP developers have released patches in versions 8.1.29, 8.2.20, and 8.3.8. However, the patching process is often slower than required, leaving many systems at risk. For businesses and IT professionals, this serves as a stark reminder of the importance of maintaining up-to-date software and regularly applying security patches.
CVE-2024-4577 also underscores the importance of proactive security measures, such as intrusion detection systems and vulnerability scanning tools, to identify and mitigate risks before they can be exploited. As seen with this flaw, once a vulnerability becomes public knowledge, attackers will waste no time in launching attacks, making it crucial to stay ahead of the curve with timely updates and constant vigilance.
Fact Checker Results:
- GreyNoise’s global observation of 1,089 unique IPs attempting exploitation has been confirmed.
- The high CVSS score of 9.8 for CVE-2024-4577 indicates critical severity.
- PHP versions 8.1.29, 8.2.20, and 8.3.8 have patched the vulnerability, and the exploit continues to be observed in attacks.
References:
Reported By: https://www.securityweek.com/mass-exploitation-of-critical-php-vulnerability-begins/
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





