Experts warn that this serious vulnerability in PHP could become a global issue.

Cybersecurity researchers from Cisco Talos have recently identified a critical vulnerability in PHP-CGI that has been exploited in attacks targeting Japanese companies. These findings have led experts from GreyNoise to emphasize the need for "immediate action" to address this threat on a global scale.

In their report, GreyNoise highlighted that Cisco Talos has observed malicious actors targeting organizations in Japan via CVE-2024-4577, a severe remote code execution (RCE) flaw in PHP-CGI with 79 available exploits. Cisco Talos researchers indicated that the attacker, whose identity has not been disclosed, has used this vulnerability to steal credentials and maintain persistence on the target system, suggesting a high likelihood of future attacks.

While Talos focused on analyzing the victims and the attackers' tactics, GreyNoise's telemetry reveals a much broader exploitation pattern, necessitating an immediate reaction from defenders worldwide.

The exploitation of this vulnerability has been observed not only in Japan but also in the United States, Singapore, and other countries. Since January of this year, GreyNoise's Global Observation Grid, which consists of a worldwide network of honeypots, detected 1,089 unique IP addresses attempting to exploit CVE-2024-4577 just in January 2025. Of these, nearly half (43%) came from Germany or China.

Cisco Talos has issued recommendations to help companies with Windows systems exposed to PHP-CGI mitigate this threat and defend against potential attacks. Additionally, it was announced that a patch was released during the summer of 2024, and GreyNoise experts advise users to conduct retrospective searches to identify similar exploitation patterns.