By Nermeen Nabil Khear 
- Cisco Talos recently found a bug in PHP-CGI, being used in attacks against Japanese firms
- GreyNoise said the attacks are being seen worldwide, and called for “immediate action”
- A patch was released in the summer of 2024, so update now
Cybersecurity researchers from Cisco Talos recently discovered a critical PHP-CGI vulnerability which could soon become a “global problem” – and doubling down on these findings, experts from GreyNoise have now added “immediate action” from is needed to tackle the threat.
In its report, GreyNoise noted how Cisco Talos recently observed threat actors targeting Japanese organizations through CVE-2024-4577, a critical remote code execution (RCE) flaw in PHP-CGI, with 79 exploits available. Cisco Talos said the unnamed threat actor used the bug to steal credentials and establish persistence on the target system “indicating the likelihood of future attacks.”
“While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally,” the report said.
The US, Singapore, and other targets
Cisco Talos said the threat actors were exploiting the flaw to drop Cobalt Strike beacons, and conduct post-exploitation activities using the TaoWu toolkit.
However, GreyNoise said the flaw was being abused in multiple places around the world, including the United States, Singapore, Japan, and other countries.
The attacks started in January this year, with GreyNoise’s Global Observation Grid (a worldwide network of honeypots) detecting 1,089 unique IPs (separate threat actors, essentially), attempting to exploit CVE-2024-4577 in January 2025 alone.
Almost half (43%) of IPs targeting CVE-2024-4577 in the past 30 days came from either Germany, or China, GreyNoise said.
Cisco Talos has released guidance to help businesses with internet-facing Windows systems exposing PHP-CGI mitigate the threat and defend against potential attacks, which you can find here. A patch was released in the summer of 2024, according to The Record, and GreyNoise added users should run retro-hunts to identify similar exploitation patterns.
Via The Record
You might also like
- PHP code could be easily exploited to let hackers target Windows servers
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.