Critical PHP Vulnerability Under Mass Exploitation: What You Need to Know

The 8-month old vulnerability is now being used en-masse

A critical vulnerability in PHP, tracked as CVE-2024-4577, is being widely exploited by threat actors to execute remote code on vulnerable servers. The flaw, which carries a high CVSS score of 9.8, affects Windows servers using Apache and PHP-CGI under specific code page configurations.

What Happened?

The vulnerability was publicly disclosed in June 2024, with initial exploitation attempts occurring just days later. While early attacks were attributed to a ransomware gang targeting Japanese organizations, the threat has now gone global. According to GreyNoise, over 1,000 unique IP addresses attempted to exploit this flaw in January 2025 alone, with significant activity in the US, UK, Singapore, and beyond.

How Does It Work?

The vulnerability arises from PHP’s handling of the ‘Best-Fit’ behavior in Unicode to ANSI character conversion. By supplying specific character sequences, attackers can inject arguments into the php-cgi module, leading to remote code execution (RCE). This flaw allows malicious actors to run arbitrary code on Windows servers, potentially gaining System privileges.

Attackers exploiting this flaw have been observed executing tools to modify registry keys, add scheduled tasks, and create malicious services using the Cobalt Strike ‘TaoWu’ plugins, achieving persistence within compromised systems.

Why It Matters

This widespread exploitation highlights a significant threat to organizations running vulnerable configurations. With 79 publicly available exploits targeting this flaw, the risk of compromise is high. The malicious campaign has already impacted sectors including education, entertainment, e-commerce, technology, and telecommunications.

What Should You Do?

• Patch Immediately: Ensure all Windows servers running Apache and PHP-CGI are updated with the latest security patches.
• Verify Configurations: Avoid using deprecated or insecure code pages that might trigger the ‘Best-Fit’ behavior.
• Monitor Network Activity: Watch for unusual patterns, especially those indicative of registry modifications, scheduled task creation, and SMB traffic anomalies.

Proactive mitigation measures are crucial to prevent attackers from exploiting this high-severity vulnerability and gaining unauthorized access to critical systems.