Bug affecting PHP scripts demands ‘immediate action from defenders globally’

A vulnerability initially exploited mostly in cyberattacks against Japanese organizations is now a potential problem worldwide, researchers said Friday.

Threat intelligence company GreyNoise said exploitation of the bug, tracked as CVE-2024-4577, “extends far beyond initial reports,” referencing in particular a blog post published Thursday by cybersecurity firm Cisco Talos.

The Cisco Talos team had said an unknown attacker was “predominantly targeting organizations in Japan” in January through the vulnerability, which affects a setup called PHP-CGI that runs scripts on web servers. A patch was issued last summer.

The attacker’s apparent goal was to steal access credentials and potentially establish persistence in a system, “indicating the likelihood of future attacks,” Cisco Talos said.

GreyNoise said it observed similar activity beyond Japan, revealing “a far wider exploitation pattern demanding immediate action from defenders globally.” 

There are 79 known ways to exploit the vulnerability and remotely execute code on a compromised system, GreyNoise said. The PHP scripting language is decades old and is widely used in web development.

“Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025,” Friday’s report said.

Cisco Talos said Thursday that the attacker it studied used a “command and control (C2) server that deploys a full suite of adversarial tools and frameworks.” The researchers said they believed the attacker’s motive was to move beyond just stealing credentials. 

Researchers at Symantec had reported exploitation of CVE-2024-4577 in August, against a university in Taiwan, not long after the patch was issued.