Ransomware Operators Exploit Critical PHP Vulnerability for RCE

A critical vulnerability in PHP, identified as CVE-2024-4577 with a CVSS score of 9.8, is being widely exploited by threat actors. This flaw affects Windows servers running Apache and PHP-CGI configured with specific code pages, enabling remote code execution through argument injection, Security week reports.

The vulnerability arises from PHP's handling of 'Best-Fit' behavior, where certain Unicode characters convert to similar ANSI characters. Attackers can exploit this by supplying character sequences that, when misinterpreted by the php-cgi module, are treated as PHP options.  

Publicly disclosed in June 2024, CVE-2024-4577 saw initial exploitation by a ransomware group within two days. In January 2025, researchers reported a malicious campaign targeting Japanese sectors such as education, entertainment, e-commerce, technology, and telecommunications.  

Attackers in these incidents gained System privileges, modified registry keys, added scheduled tasks for persistence, and created malicious services using Cobalt Strike's 'TaoWu' plugins.  

Researchers have observed that exploitation is not confined to Japan; significant activity spikes have occurred in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain, and Malaysia.  

In the past month, over 43% of attacking IPs originated from Germany and China. February saw increased exploitation globally, indicating automated scanning for vulnerable systems.  

CVE-2024-4577 affects all PHP versions on Windows. The issue was resolved in PHP versions 8.1.29, 8.2.20, and 8.3.8. Users should promptly update their installations to these versions to mitigate potential threats.

Takeaway: Ransomware operators are increasingly exploiting older, unpatched vulnerabilities to infiltrate organizational networks, underscoring the critical importance of timely patch management—a challenge many organizations continue to face.

The automation of exploits has further enabled attackers to swiftly take advantage of such vulnerabilities with minimal human intervention. This efficiency accelerates the attack process and broadens its scope, allowing cybercriminals to target multiple organizations simultaneously.  

The convergence of zero-day exploits and automation in ransomware attacks presents significant challenges for organizational cybersecurity. Traditional security measures, which often rely on signature-based and rules-based detections, are insufficient against these advanced threats. Organizations must adopt a multilayered security approach that includes proactive vulnerability management, behavioral analysis, threat hunting, and incident response planning.  

Previous research found that more than three-quarters of all ransomware-related vulnerability exploits observed targeted older bugs for which patches were already available. There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. Organizations that wanted to patch but couldn’t are where the real work needs to be done.  

Patching systems can be highly complex for some organizations. To avoid breaking critical business systems, patches often need to be applied in development and tested prior to production. Even then, some issues prevent patching due to legacy systems or internal applications that will break if the patch is applied. This can result in months of work before a patch can be deployed throughout the network.  

However, for those who could patch but didn’t, there is little excuse. Addressing this issue of the “low-hanging fruit” who offer attackers a ripe target via poor security protocols could significantly reduce this growing threat.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.