Listen to this Post
A severe security flaw in PHP, identified as CVE-2024-4577, is currently under active exploitation by cybercriminals, with researchers warning of its potential to cause widespread damage. This vulnerability, which allows remote code execution on servers using Apache and PHP-CGI, poses a serious risk to web applications across the globe. With a CVSS score of 9.8, CVE-2024-4577 has been flagged as critical, and its exploitation could give attackers full control of vulnerable servers. As cybercriminals continue to take advantage of this flaw, it is crucial for organizations to stay informed and take immediate action to secure their systems.
Summary
CVE-2024-4577 is a PHP-CGI OS Command Injection vulnerability, tied to a flaw in PHP’s encoding conversion feature on Windows operating systems. The vulnerability allows an attacker to bypass protections against a previous PHP issue, CVE-2012-1823, through the injection of specific character sequences. By exploiting this flaw, attackers can execute arbitrary code on remote PHP servers, granting them full control over compromised systems.
Since its disclosure, the vulnerability has sparked an alarming rush of exploit attempts. Researchers from Shadowserver and GreyNoise have confirmed that multiple actors are leveraging the flaw to conduct attacks. The United States Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2024-4577 in its Known Exploited Vulnerabilities (KEV) catalog as early as June 2024, highlighting the severity of the issue.
In July 2024, Akamai’s Security Intelligence Response Team (SIRT) revealed that multiple malware families, including Gh0st RAT, RedTail cryptominers, and XMRig, were being deployed via the exploitation of this vulnerability. Akamai’s researchers reported that exploit attempts were observed within 24 hours of the vulnerability’s disclosure, emphasizing the speed at which threat actors are taking advantage of this weakness.
As the exploitation continues to escalate, GreyNoise researchers have confirmed a dramatic increase in attacks against organizations across the globe. The scope of the exploitation now extends beyond Japan, with notable spikes in regions such as the United States, Singapore, India, the UK, Spain, and others. In January 2025, GreyNoise detected over 1,000 unique IPs targeting this flaw, with a significant percentage of attacks originating from Germany and China.
The attackers have been using the vulnerability to target internet-facing Windows systems that expose PHP-CGI. The widespread nature of the attacks and the continued exploitation highlight the urgency for organizations to patch their systems. GreyNoise advises users to conduct thorough asset assessments, verify their PHP configurations, and update to the latest PHP versions to mitigate the risk of exploitation.
What Undercode Says:
The exploitation of CVE-2024-4577 is a serious reminder of the vulnerabilities inherent in widely-used technologies like PHP, especially when combined with the complexity of different operating environments. While the initial focus was on Japan, the rapid spread of attacks to other regions shows that this is a global issue. The fact that over 1,000 unique IP addresses were observed exploiting this vulnerability in just one month is a clear indication of how quickly attackers can mobilize once an exploit is made publicly available.
One key takeaway from this situation is the speed at which threat actors adapt to new vulnerabilities. The CVE-2024-4577 exploit was first disclosed publicly, and within 24 hours, threat actors were already attempting to exploit it. This underscores the importance of having robust monitoring and response mechanisms in place to detect and respond to such exploits as soon as they emerge.
Furthermore, the involvement of multiple malware families in the exploitation of this flaw—such as Gh0st RAT and XMRig—highlights the diverse motivations of cybercriminals. While some may seek to gain control over servers for espionage purposes (as in the case of Gh0st RAT), others are likely driven by financial incentives, deploying cryptominers to steal resources or ransom data.
This vulnerability also reinforces the necessity of proactive security practices, such as regular patching and updating of server-side software. GreyNoise’s advice to update PHP installations immediately is crucial, as outdated versions can leave systems exposed to a wide range of attacks. For organizations with PHP-CGI exposed on the internet, the risk is even higher, and extra caution should be taken to ensure that these systems are not vulnerable to this flaw.
The fact that CVE-2024-4577 has been tracked in CISA’s Known Exploited Vulnerabilities catalog and reported by multiple security firms should be a wake-up call for all PHP server administrators. Threat actors have been quick to capitalize on this vulnerability, and it’s clear that the exploitation is becoming increasingly sophisticated. Organizations need to prioritize securing their PHP environments to stay ahead of attackers.
Fact Checker Results:
- The CVE-2024-4577 vulnerability has been confirmed by multiple security researchers, including those at GreyNoise and Akamai.
- The rapid exploitation, observed within 24 hours of the flaw’s disclosure, reflects the increasing speed with which cybercriminals act.
- No widespread patching solution has been released yet, but PHP administrators are urged to update their systems to mitigate risks.
References:
Reported By: https://securityaffairs.com/175198/hacking/experts-warn-of-mass-exploitation-of-critical-php-flaw-cve-2024-4577.html
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
