Threat intelligence firm GreyNoise has warned that a critical PHP vulnerability (CVE-2024-4577) that affects Windows systems is being mass-exploted by threat actors.
Tracked as CVE-2024-4577, the flaw impacts Windows installations of PHP running in CGI (Common Gateway Interface) mode. If successfully exploited, attackers can execute arbitrary code, leading to full system compromise. The vulnerability was first addressed in a security update released by PHP maintainers on June 7, 2024. However, exploitation attempts began soon after, with WatchTowr Labs releasing proof-of-concept (PoC) exploit code, followed by Shadowserver Foundation reporting on initial exploit attempts.
GreyNoise’s warning comes after a recent report from Cisco Talos, which revealed that an unknown attacker has been actively exploiting the vulnerability against organizations in Japan since at least January 2025. Cisco Talos said that the attackers' primary objective appears to be credential harvesting.
GreyNoise’s recent data suggests that the scope of exploitation spreads beyond Japan. According to the firm, more than 43% of IPs targeting CVE-2024-4577 in the past 30 days have originated from Germany and China. GreyNoise also reported that at least 79 exploit scripts are now publicly available online.
In February 2025, a coordinated surge in exploitation attempts was detected, targeting vulnerable systems across multiple countries. This pattern suggests a significant rise in automated scanning for vulnerable targets, which could lead to more widespread and damaging attacks in the coming weeks.
