PHP Servers and IoT Devices Face Growing Cyber-Attack Risks

A sharp increase in attacks targeting PHP servers, internet of things (IoT) devices and cloud gateways has been identified by cybersecurity researchers.

The latest report by the Qualys Threat Research Unit (TRU), published today,attributes the rise to botnets such as Mirai, Gafgyt and Mozi, which are exploiting known CVEs and cloud misconfigurations to expand their reach.

With PHP powering over 73% of websites and 82% of enterprises reporting incidents linked to cloud misconfigurations, the digital attack surface continues to grow. This makes servers running PHP-based applications, such as WordPress, especially attractive to attackers seeking remote code execution (RCE) or data theft opportunities.

“Routers and IoT devices have long been targeted and compromised to form increasingly large botnets,” saidJames Maude, field CTO at BeyondTrust.

“Almost a decade ago, we saw the rise of the Mirai botnet, which initially abused 60 default usernames and passwords to log into and infect a huge number of devices.”

He added that while history doesn’t repeat itself, “it often rhymes when it comes to router compromise and botnets.”

Key Vulnerabilities Under Active Attack

Qualys highlighted several vulnerabilities currently being exploited in the wild:

CVE-2022-47945: An RCE flaw in ThinkPHP due to improper input sanitization
CVE-2021-3129: A Laravel Ignition debugging route left active in production
CVE-2017-9841: A long-standing PHPUnit flaw exposing the eval-stdin.php script

Attackers also exploit insecure configurations, such as active debugging tools like XDebug or improperly stored secrets.

Qualys researchers noted frequent attempts to retrieve sensitive Amazon Web Services (AWS) credential files from exposed Linux servers.

IoT and Cloud Systems Remain Exposed

IoT devices remain a persistent weak link, particularly those running outdated firmware. The report cites CVE-2024-3721, a TBK DVR command injection flaw exploited by Mirai-like botnetsand similar attacks targeting MVPower DVRs with built-in backdoors.

“While botnets have previously been associated with large-scale DDoS attacks and occasional crypto-mining scams, in the age of identity security threats, we see them taking on a new role in the threat ecosystem,”Maude said.

He explained that access to vast networks of compromised routers allows attackers to perform large-scale credential stuffing and password spraying campaigns.

Cloud-native environments are also at risk, with CVE-2022-22947 in Spring Cloud Gateway allowing unauthenticated code execution.

“Security teams once had positive control of the data centers where production data and systems lived,” saidTrey Ford, chief strategy and trust officer at Bugcrowd.

“In the age of modern cloud-native and infrastructure as code, developers have the ability to both light up and connect services and infrastructure faster than security teams can identify it.”

Ford emphasized that “staying current with your attack surface is a critical path capability,”adding, “if you can’t see it, can’t identify changes, how can you defend it?”

Building Resilience Against Exploitation

Scott Schneider, partner GTM at iCOUNTER, noted that “risk-based vulnerability management (RBVM) is an effective method to tackle an ever-growing list of vulnerabilities.”

By evaluating asset criticality, threat likelihood and exposure, organizations can “focus their remediation efforts on the vulnerabilities that present the most immediate and serious risks,”he explained.

To reduce exposure, Qualys also recommended:

Timely patching of software and frameworks
Disabling development and debugging tools in production
Using managed stores for secrets rather than plaintext files
Restricting network access to essential IPs only
Monitoring cloud access logs for credential misuse

Qualys concluded that attackers no longer need advanced skills to launch impactful attacks.

“With widely available exploit kits and scanning tools, even entry-level actors can cause significant damage,”the researchers said.

The company urged organizations to adopt continuous visibility and automated remediation to defend PHP servers, IoT devices and cloud systems from ongoing exploitation.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.