- Cisco Talos recently found a bug in PHP-CGI, used in attacks against Japanese companies
- Graynoise said that attacks are seen worldwide and have called for “immediate action”
- A fix was published in the summer of 2024, so get up to date
Cisco Talos cybersecurity researchers recently discovered a critical PHP -CGI vulnerability which could soon become a “global problem” – and double these results, Greynoise experts have now added “immediate action” to attack the threat.
In his report, Graynoise noted how Cisco Talos recently observed threat actors targeting Japanese organizations via CVE-2024-4577, a Critical Code Code (RCE) flaw in PHP-CGI, with 79 available exploits. Cisco Talos said that the anonymous threat actor had used the bug to steal identification information and establish persistence on the target system “indicating the probability of future attacks”.
“While Talos has focused on victimology and attackers’ trades, Graynoise telemetry reveals a much wider operating model requiring immediate action by defenders around the world,” said the report.
The United States, Singapore and other targets
Cisco Talos said that threat actors exploited the fault to drop cobalt typing tags and put post-exploitation activities using the Taowu toolbox.
However, Graynoise said that the fault was mistreated in several places in the world, including the United States, Singapore, Japan and other countries.
The attacks began in January of this year, with the global observation grid of Greynoise (a global network of honey pots) detecting 1,089 unique IPS (separate threat actors, mainly), trying to exploit the CVE-2024-4577 in January 2025.
Almost half (43%) of IPS targeting the CVE-2024-4577 in the last 30 days came from Germany or China, said Greynoise.
Cisco Talos has published advice on helping companies with Windows Internet-oriented Systems Exposing PHP-CGI attenuates the threat and defending potential attacks, which you can find here. A fix was published in the summer of 2024, according to the recording, and the users added by Greynoise should run retro hunters to identify similar operating models.
Via The record
