CVE-2024-4577: Ongoing Exploitation of a Critical PHP Vulnerability

Keypoints

• CVE-2024-4577 is a critical RCE in PHP running in CGI mode on Windows, caused by Best Fit character encoding conversions.
• A patch was released by the PHP development team on June 6, 2024.
• Imperva reported the first exploitation of the vulnerability by threat actors deploying ransomware under the TellYouThePass campaign (June 8, 2024).
• CGSI detected multiple scanning attempts from various locations, including an IP linked to Muhstik, suggesting payload delivery activity and possible links to RocketMQ-era actors.
• Muhstik is known for targeting IoT devices and Linux servers to enable cryptocurrency mining and DDoS activities.
• WatchTowr Labs published a PoC; CGSI observed live exploitation attempts shortly after the patch release.
• Recommendations include upgrading PHP to 8.3.8, 8.2.20, or 8.1.29 and conducting regular security audits and pentests.