Bug affecting PHP scripts demands ‘immediate action from defenders globally’

Avatar

A vulnerability initially exploited mostly in cyberattacks against Japanese organizations is now a potential problem worldwide, researchers said Friday.

Threat intelligence company GreyNoise said exploitation of the bug, tracked as CVE-2024-4577, “extends far beyond initial reports,” referencing in particular a blog post published Thursday by cybersecurity firm Cisco Talos.

The Cisco Talos team had said an unknown attacker was “predominantly targeting organizations in Japan” in January through the vulnerability, which affects a setup called PHP-CGI that runs scripts on web servers. A patch was issued last summer.

The attacker’s apparent goal was to steal access credentials and potentially establish persistence in a system, “indicating the likelihood of future attacks,” Cisco Talos said.

GreyNoise said it observed similar activity beyond Japan, revealing “a far wider exploitation pattern demanding immediate action from defenders globally.” 

There are 79 known ways to exploit the vulnerability and remotely execute code on a compromised system, GreyNoise said. The PHP scripting language is decades old and is widely used in web development.

“Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025,” Friday’s report said.

Cisco Talos said Thursday that the attacker it studied used a “command and control (C2) server that deploys a full suite of adversarial tools and frameworks.” The researchers said they believed the attacker’s motive was to move beyond just stealing credentials. 

Researchers at Symantec had reported exploitation of CVE-2024-4577 in August, against a university in Taiwan, not long after the patch was issued.

CybercrimeNewsNews BriefsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

Malicious use of Cobalt Strike down 80% after crackdown, Fortra says

Next Post

Texas border city declares state of emergency after cyberattack on government systems

Related Posts

Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The
Avatar
Read More

Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool

In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance. The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur
Avatar
Read More