Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.

affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing

censys.com/cve-2024-4577-pt2/

This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default

The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday.

imperva.com/blog/update-cve-20

Censys researchers said that the exploitation by the TYTP gang started on June 7 and mirrored past incidents that mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server.

Follow

“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform.

/nosanitize

search.censys.io/search?resour

The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.