Introduction
In early 2025, a critical security vulnerability, designated CVE-2024-4577, emerged in PHP installations on Windows systems, triggering a wave of widespread cyberattacks. This report analyzes the nature of this vulnerability, its exploitation timeline, geographical impact, and the tactics employed by threat actors, highlighting the significant risk posed to corporate systems.
Vulnerability Details: CVE-2024-4577
CVE-2024-4577 is identified as a critical argument-injection vulnerability impacting all versions of PHP running on Windows. Discovered by the DEVCORE security research team, this flaw enables attackers to achieve remote code execution (RCE). The vulnerability allows malicious actors to inject arbitrary code and execute it on vulnerable servers, thereby gaining unauthorized access and control over the system.
Timeline of Exploitation and Attack Progression
Exploitation of CVE-2024-4577 began as early as November 2024, with telemetry data from GreyNoise indicating initial exploitation attempts starting around this period. The cyberattacks intensified significantly through January and February 2025. January 2025 witnessed a substantial surge with exploitation attempts originating from 1,089 unique IP addresses. February 2025 saw a further coordinated spike in exploitation attempts across multiple countries, suggesting a large-scale and potentially automated attack campaign.
Geographical Scope of Cyberattacks
Initial reports suggested that the attacks were localized to Japan. However, data from GreyNoise reveals a far more extensive global impact. Exploitation attempts have been observed across a diverse range of countries including:
- United States
- United Kingdom
- Singapore
- Japan
- Germany
- Indonesia
- Spain
- India
- Taiwan
- Malaysia
This widespread geographical distribution indicates a globally orchestrated cyberattack campaign exploiting the PHP vulnerability.
vCard.red is a free platform for creating a mobile-friendly digital business cards. You can easily create a vCard and generate a QR code for it, allowing others to scan and save your contact details instantly.
The platform allows you to display contact information, social media links, services, and products all in one shareable link. Optional features include appointment scheduling, WhatsApp-based storefronts, media galleries, and custom design options.
Threat Actors and Tactics
Cisco Talos reported that an unknown threat actor initiated attacks targeting Japanese organizations starting in January 2025. Sectors targeted include:
- Telecom
- Technology
- Education
These attacks leveraged the Cobalt Strike kit, a known penetration testing and adversary simulation tool often misused by malicious actors, alongside a plugin named ‘TaoWu’. The primary objective of these attacks appears to be credential theft, potentially as a precursor to further, more damaging attacks within compromised corporate systems.
Furthermore, GreyNoise analysis suggests a component of the exploitation is automated scanning for vulnerable targets. Analysis of attacking IP addresses over a 30-day period revealed that over 40% originated from IP addresses based in Germany and China, pointing towards potential origins or staging points for these automated attacks.
Impact and Potential for Corporate System Compromise
The remote code execution nature of CVE-2024-4577 presents a severe security risk. Successful exploitation allows attackers to execute arbitrary code on vulnerable servers, effectively granting them full access to the compromised system. For corporate systems relying on vulnerable PHP installations, this could lead to:
- Data breaches and exfiltration of sensitive corporate information.
- System disruption and denial of service.
- Installation of malware and backdoors for persistent access.
- Lateral movement within corporate networks to compromise further systems.
The observed tactics, particularly credential theft and the use of tools like Cobalt Strike, indicate a high likelihood of attackers seeking to gain persistent and deep access within targeted corporate networks, potentially leading to full compromise of critical systems.
Conclusion
The critical PHP vulnerability CVE-2024-4577 has been actively and widely exploited since late 2024, with attacks intensifying in early 2025. The global scale of exploitation, coupled with the remote code execution capability and tactics employed by threat actors, signifies a significant and ongoing threat to corporate systems utilizing vulnerable PHP installations on Windows. Organizations must prioritize immediate patching and mitigation measures to defend against this critical vulnerability and prevent potential large-scale security breaches.