Technology

Experts warn this critical PHP vulnerability could be set to become a global problem

March 10, 2025

Cisco Talos recently found a bug in PHP-CGI, being used in attacks against Japanese firms
GreyNoise said the attacks are being seen worldwide, and called for “immediate action”
A patch was released in the summer of 2024, so update now

Cybersecurity researchers from Cisco Talos recently discovered a critical PHP-CGI vulnerability which could soon become a “global problem” – and doubling down on these findings, experts from GreyNoise have now added “immediate action” from is needed to tackle the threat.

In its report, GreyNoise noted how Cisco Talos recently observed threat actors targeting Japanese organizations through CVE-2024-4577, a critical remote code execution (RCE) flaw in PHP-CGI, with 79 exploits available. Cisco Talos said the unnamed threat actor used the bug to steal credentials and establish persistence on the target system “indicating the likelihood of future attacks.”

“While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally,” the report said.

The US, Singapore, and other targets

Cisco Talos said the threat actors were exploiting the flaw to drop Cobalt Strike beacons, and conduct post-exploitation activities using the TaoWu toolkit.

However, GreyNoise said the flaw was being abused in multiple places around the world, including the United States, Singapore, Japan, and other countries.

The attacks started in January this year, with GreyNoise’s Global Observation Grid (a worldwide network of honeypots) detecting 1,089 unique IPs (separate threat actors, essentially), attempting to exploit CVE-2024-4577 in January 2025 alone.

Almost half (43%) of IPs targeting CVE-2024-4577 in the past 30 days came from either Germany, or China, GreyNoise said.

Cisco Talos has released guidance to help businesses with internet-facing Windows systems exposing PHP-CGI mitigate the threat and defend against potential attacks, which you can find here. A patch was released in the summer of 2024, according to The Record, and GreyNoise added users should run retro-hunts to identify similar exploitation patterns.

Via The Record

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar