Cybersecurity experts have identified widespread exploitation of a severe PHP vulnerability that poses a significant risk to servers globally. This flaw, known as CVE-2024-4577, allows attackers to execute remote code on susceptible systems, particularly those running Windows servers with Apache and PHP-CGI configured with specific code pages.

Understanding the PHP Vulnerability

The vulnerability, assigned a CVSS score of 9.8, arises from PHP's handling of Unicode character conversion on Windows systems. Attackers can exploit this flaw by injecting specific character sequences that are misinterpreted as PHP options, leading to arbitrary code execution.

Technical Details

Disclosed in June 2024, CVE-2024-4577 was quickly targeted by cybercriminals. The flaw affects all PHP versions on Windows, with the issue being addressed in PHP versions 8.1.29, 8.2.20, and 8.3.8. Administrators are urged to update their PHP installations immediately to mitigate potential risks.

  • Remote Code Execution: The vulnerability allows attackers to execute arbitrary code remotely.
  • Character Conversion Flaw: Exploitation involves Unicode to ANSI character conversion errors.

Global Exploitation Campaigns

Initially observed in ransomware attacks shortly after its disclosure, the vulnerability has since been exploited in a broader campaign. Cisco reported that since January 2025, attackers have targeted various sectors in Japan, including education, entertainment, and technology.

International Impact

GreyNoise has reported significant exploitation activity beyond Japan, with spikes in the US, UK, Singapore, and other countries. Their Global Observation Grid detected over 1,000 unique IPs attempting to exploit this vulnerability in January 2025 alone.

  • Geographic Spread: Notable activity in the US, UK, Singapore, and more.
  • Increased Scanning: Automated scans for vulnerable systems are on the rise.
The link has been copied!