What’s Going on With CVE-2024-4577 (Critical RCE in PHP)?

This blog post analyzes active exploitation of CVE-2024-4577 (a Windows PHP-CGI argument-injection RCE), showing multiple real-world payloads and confirmed RCE attempts that fetched and executed Cobalt Strike beacons and Gh0st RAT variants; the report provides payload examples, observed source IPs/domains/URLs, and attacker TTPs (certutil, PowerShell, php://input auto_prepend_file), while noting limited overall exposure (scans indicate ~0.5% of XAMPP hosts vulnerable).