- Cisco Talos recently found an error in PHP-CGI, which is used in attacks against Japanese companies
- Greynoise said the attacks are being seen worldwide and asked for “immediate action”
- A patch was launched in the summer of 2024, so update now
Cisco Talos cybersecurity researchers recently discovered a critical vulnerability of PHP -CGI that could soon become a “global problem”, and duplicate these findings, Greynoise’s experts have now added “immediate action” of the threat.
In his report, Graynoise pointed out how Cisco Talos recently observed threat actors aimed at Japanese organizations through CVE-2024-4577, a critical failure of remote code execution (RCE) in PHP-CGI, with 79 available exploits. Cisco Talos said that the unidentified threat actor used the error to steal credentials and establish persistence in the objective system “indicating the probability of future attacks.”
“While Talos focused on victimology and tradects of the attackers, gray telemetry reveals a much broader exploitation pattern that demands an immediate action of the defenders worldwide,” the report said.
United States, Singapore and other objectives
Cisco Talos said that the actors of the threat were exploiting the defect of launching cobalt attack beacons and performing subsequently exploitation activities using the Taowu tool kit.
However, Greynoise said the fault was being abused in multiple parts of the world, including the United States, Singapore, Japan and other countries.
The attacks began in January of this year, with the global observation network of Greynoise (a worldwide honeypots network) that detect 1,089 IP unique (separate threat actors, essentially), trying to exploit CVE-2024-4577 only in January 2025.
Almost half (43%) of the IP that are directed to CVE-2024-4577 in the last 30 days came from Germany or China, Graynoise said.
Cisco Talos has published a guide to help companies with the Internet-oriented Windows systems exposing PHP-CGI to mitigate the threat and defend against possible attacks, which you can find here. A patch was launched in the summer of 2024, according to the registration, and Graynoise added that users should execute retro boxes to identify similar exploitation patterns.
Through The record
