- Cisco Talos recently found a bug in PHP-CGI, being used in attacks against Japanese firms
- GreyNoise said the attacks are being seen worldwide, and called for “immediate action”
- A patch was released in the summer of 2024, so update now
Cybersecurity researchers from Cisco Talos recently discovered a critical PHP-CGI vulnerability which could soon become a “global problem” – and doubling down on these findings, experts from GreyNoise have now added “immediate action” from is needed to tackle the threat.
In its report, GreyNoise noted how Cisco Talos recently observed threat actors targeting Japanese organizations through CVE-2024-4577, a critical remote code execution (RCE) flaw in PHP-CGI, with 79 exploits available. Cisco Talos said the unnamed threat actor used the bug to steal credentials and establish persistence on the target system “indicating the likelihood of future attacks.”
“While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally,” the report said.
The US, Singapore, and other targets
Cisco Talos said the threat actors were exploiting the flaw to drop Cobalt Strike beacons, and conduct post-exploitation activities using the TaoWu toolkit.
However, GreyNoise said the flaw was being abused in multiple places around the world, including the United States, Singapore, Japan, and other countries.
The attacks started in January this year, with GreyNoise’s Global Observation Grid (a worldwide network of honeypots) detecting 1,089 unique IPs (separate threat actors, essentially), attempting to exploit CVE-2024-4577 in January 2025 alone.
Almost half (43%) of IPs targeting CVE-2024-4577 in the past 30 days came from either Germany, or China, GreyNoise said.
Cisco Talos has released guidance to help businesses with internet-facing Windows systems exposing PHP-CGI mitigate the threat and defend against potential attacks, which you can find here. A patch was released in the summer of 2024, according to The Record, and GreyNoise added users should run retro-hunts to identify similar exploitation patterns.
Via The Record
Leave a comment