A threat activity cluster tracked via AlienVault OTX documents active exploitation across four distinct CVEs targeting PHP, Apache HTTP Server, and PHPUnit installations. The campaign involves four attributed IP addresses and spans vulnerabilities ranging from 2017 through 2024, indicating opportunistic scanning against unpatched internet-facing systems. The breadth of CVEs involved, hitting different software stacks across different years, suggests automated exploitation infrastructure casting a wide net rather than targeted intrusion.
CVE-2024-4577 is the newest vulnerability in this cluster and the one that should concern you most immediately. It affects PHP on Windows systems and allows unauthenticated remote code execution. The fact that it's already appearing alongside older, well-documented CVEs in an active exploitation cluster tells you attackers have folded it into automated tooling fast. If you're running PHP on Windows and haven't patched, you're already in the window of active exploitation.
CVE-2021-41773 is a path traversal and remote code execution flaw in Apache HTTP Server 2.4.49 that made headlines when it dropped. It was being mass-exploited within days of disclosure. Seeing it resurface here in 2024 is a reminder that vulnerable systems from three years ago are still reachable on the internet, and attackers know it. Organisations that expanded their attack surface during rapid cloud adoption or pandemic-era infrastructure sprawl and never fully audited what they left exposed are the likely victims here.
CVE-2017-9841 targets PHPUnit and enables remote code execution through the eval-stdin.php endpoint. It's nearly a decade old. Its continued presence in active exploitation clusters tells you something uncomfortable: there are still production environments running vulnerable PHPUnit installations, either because the dependency was never updated, was bundled into a legacy application, or simply fell off the patching radar. That's the exact kind of forgotten asset that threat actors are scanning for at scale.
Systems running PHP on Windows are exposed to CVE-2024-4577, which affects multiple PHP version branches. If you haven't applied the patch released to address this specific flaw, assume you're vulnerable.
Apache HTTP Server version 2.4.49 specifically is affected by CVE-2021-41773. Version 2.4.50 was also subsequently found to have an incomplete fix for related issues, so if you're still on either of those versions, you need to move. Any version of Apache before the patched releases is at risk for path traversal leading to RCE if mod_cgi is enabled or if directory traversal protections aren't explicitly configured.
PHPUnit installations that expose the eval-stdin.php file in a web-accessible directory are vulnerable to CVE-2017-9841. This is particularly common in environments where PHPUnit was installed via Composer into a directory served by the web server — a misconfiguration that was widespread before the risk became well-known. Any application that shipped with vendor dependencies accessible over HTTP could be affected.
CVE-2022-47945 affects ThinkPHP, a PHP framework. Local file inclusion vulnerabilities in ThinkPHP put applications built on that framework at risk of arbitrary file read and potentially code execution depending on how the application handles included files.
Sectors with the most exposure include financial services, government, and any enterprise running legacy PHP-based web applications or older Apache deployments that haven't been systematically reviewed. Shared hosting environments and organisations with large numbers of web-facing applications are particularly exposed given the automated scanning behaviour this cluster exhibits.
Reviewing your logs and web application firewall data against these indicators of compromise should be your first step.
IPv4: 185.177.72.51
IPv4: 185.177.72.68
IPv4: 125.135.169.171
IPv4: 83.168.88.41
CVE: CVE-2024-4577
CVE: CVE-2021-41773
CVE: CVE-2017-9841
CVE: CVE-2022-47945
Patch PHP on Windows immediately. CVE-2024-4577 is under active exploitation. Identify every PHP installation running on Windows in your environment and apply the vendor patch. This isn't a scheduled maintenance window item — do it now, out of cycle if necessary.
Upgrade Apache HTTP Server away from version 2.4.49 and 2.4.50. CVE-2021-41773 is trivially exploitable on 2.4.49 with mod_cgi enabled. Pull your Apache version inventory across all web-facing servers. If you find any instances on those versions, treat it as an active incident risk and patch or take offline immediately.
Audit and remove web-accessible PHPUnit vendor directories. Check whether any production web servers expose a vendor/phpunit path or the eval-stdin.php file over HTTP. The fix is to ensure your web root doesn't serve the vendor directory at all. Block it at the web server configuration level or move it outside the document root entirely. This should also be added to your deployment checklist going forward.
Review ThinkPHP deployments for CVE-2022-47945. If any applications in your environment use the ThinkPHP framework, check the installed version against the patched release that addresses the local file inclusion vulnerability. Apply vendor patches and review whether affected endpoints are exposed to the internet.
Block and hunt on the four attributed IPs. Add 185.177.72.51, 185.177.72.68, 125.135.169.171, and 83.168.88.41 to your blocklists at the perimeter. Then go back through your web server logs and WAF telemetry to determine whether any of these IPs have already made requests to your systems. If you see hits, escalate to incident response. Don't assume blocked traffic means no prior successful access.
Yes. Its presence in this active exploitation cluster confirms it's still being used in automated scanning and attack campaigns. Unpatched Apache 2.4.49 instances remain reachable on the internet, and attackers continue to target them. Age of a CVE doesn't correlate with reduced exploitation risk if vulnerable systems stay online.
Based on the source material, CVE-2024-4577 affects PHP running on Windows. If your PHP deployments are exclusively on Linux, your exposure to this specific CVE is different, but you should still verify your version and configuration against vendor guidance given the active exploitation context.
Check whether your web root or any web-accessible path contains a vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php file. A direct HTTP request to that path returning a 200 status confirms exposure. The fix is to block web access to the vendor directory entirely or relocate it outside your document root.
The combination of multiple CVEs across different software stacks in a single cluster points strongly to automated, opportunistic scanning rather than a targeted campaign. That doesn't reduce the risk, as mass exploitation still results in real compromise. Block the IPs and investigate any prior contact with your infrastructure regardless.
