Researchers from Greynoise recorded the mass of the important vulnerability of CVE-2024-4577 (9.8 points in CVSS) in PHP. The vulnerability allows officers to remotely execute the code on Windows servers with Apache and PHP-CGI.

Information about CVE-2024-4577 appeared in June 2024, and two days later, the researchers discovered the first efforts to operate from the exploitation of the Rang program.

In January 2025, Cisco said that the hole was actively used in attacks against Japanese companies in the fields of education, entertainment, e -commerce, technology and telecommunications.

The attackers with the help of exploitation received system privileges, changed data in the system registration book, added tasks as planned and created harmful services with cobalt strike plugin.

Now Greynoise warned that attacks spread out of Japan's border. In January 2025, 1089 unique IP addresses tried to operate CVE-2024-4577, these attacks were recorded in the United States, United Kingdom, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain and Malaysia.

More than 43% of the attack IP address was registered in Germany and China. In February, the further increase in the number of recorded attacks, which shows an automated search for vulnerable servers around the world.

The error is due to the fact that in Windows PHP-CGI does not take into account the features of converting Unicode symbols into an ANSI format (the most suitable “function). This allows the attackers to send special characters understood as the argument of the PHP command line, resulting in an arbitrary code execution.

The hole is removed in PHP 8.1.29, 8.2.20 and 8.3.8.

Currently, available publicly, there are 79 exploitation for CVE-2024-4577, which makes the threat extremely suitable for administrators and developers to use PHP on Windows.