Unmasked: PHP instances frequently become victims of TellYouThePass ransomware attacks
In the digital landscape, a critical remote code execution vulnerability named CVE-2024-4577 has been affecting a wide range of users, from individual personal website maintainers to enterprise websites. This vulnerability, primarily impacting Windows PHP CGI environments, was first detected by researchers at Imperva on June 7.
The PHP programming language's latest patch versions, including 8.3.8, 8.2.20, and 8.1.29, were released on June 6 to address this issue. However, researchers from Censys have warned of increased exploitation activity by the TellYouThePass ransomware group, which has been in existence since at least 2019.
TellYouThePass has previously leveraged vulnerabilities such as Apache Log4j (CVE-2021-44228) and a vulnerability in Apache ActiveMQ (CVE-2023-46604). As of now, there is no direct evidence or detailed reports linking TellYouThePass to active exploitation of CVE-2024-4577. Analysis of payloads suggests some confusion by attackers attempting to use this vulnerability against Linux systems, indicating possible operational errors by threat actors rather than targeted campaigns.
The Cybersecurity and Infrastructure Security Agency added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday. As of mid-2025, this vulnerability allows attackers to execute arbitrary code by exploiting how PHP treats POST content as executable PHP code under certain configurations. This can lead to full server compromise, data theft, and malware infection for organizations using PHP versions susceptible to this flaw.
Researchers from Palo Alto Networks have also confirmed active exploitation activity as of June 11. The number of observed infections has been declining, with about 1,000 infected hosts observed as of Thursday, primarily located in China. The direct impact on the U.S. is currently limited, with the number of compromised hosts peaking at 39 on Tuesday, compared to a high of 962 compromised hosts in China as of Monday.
It's worth noting that the threat actors seem to be mass scanning the internet, rather than targeting any specific organizations. An unauthenticated attacker can bypass the previous protection for CVE-2012-1823 due to this vulnerability, which has a CVSS score of 9.8 and could allow an attacker to achieve remote code execution.
In summary, prompt updating and patching of PHP versions are the main recommended mitigations to secure supported platforms. Organizations using PHP versions susceptible to CVE-2024-4577 remain vulnerable to arbitrary code execution, which can lead to serious consequences. Stay vigilant and ensure your PHP systems are up-to-date to protect against this ongoing threat.
- The TellYouThePass ransomware group, active since at least 2019, has been linked to increased exploitation activity involving ransomware, specifically targeting the vulnerability CVE-2024-4577 in the PHP programming language.
- In the general-news and crime-and-justice sectors, a growing concern is the exploitation of CVE-2024-4577 by cybercriminals, with reports suggesting that this vulnerability could lead to significant vulnerabilities for organizations using susceptible PHP versions.
- The cybersecurity community advises staying vigilant in the face of ongoing threats such as ransomware attacks, and emphasizes the importance of keeping technology updated, particularly PHP systems, to mitigate vulnerabilities like CVE-2024-4577.
