Attacks Exploiting ‘Critical’ PHP Vulnerability Have Impacted US: Researcher

The remote code execution flaw affects Windows-based PHP installations, and was initially disclosed in June 2024.

Exploitation of a critical-severity vulnerability affecting Windows-based PHP installations has impacted organizations in the U.S., according to a researcher at threat intelligence firm GreyNoise.

The remote code execution flaw (tracked at CVE-2024-4577) has now seen “mass exploitation,” with attack activity “far more widespread” than initially believed, wrote Bob Rudis, vice president of data science at GreyNoise, in a post.

[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]

The vulnerability was initially disclosed in June 2024, and was found to have been exploited at the time.

More recently, the vulnerability has seen an upsurge in activity “predominantly targeting organizations in Japan,” a researcher at Cisco Talos wrote in a post last Thursday.

“The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines,” wrote Chetan Raghuprasad, security researcher technical leader at Cisco Talos, in the blog.

However, in a post on the GreyNoise blog Friday, Rudis wrote that there is evidence of wider exploitation than suggested in the Talos blog.

‍”GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports,” he wrote in the post. “Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.”

Notably, GreyNoise has “detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets,” Rudis wrote.

In an email comment provided to CRN, Patrick Tiquet, vice president of security and architecture at password management vendor Keeper Security, said the vulnerability is indeed a serious threat to organizations operating Windows servers that run Apache and PHP-CGI.

The vulnerability has received a “critical” severity score of 9.8 out of 10.0.