The Botnet Blitz: Mirai, Gafgyt Fuel RCE Attacks on PHP Servers, IoT, & Cloud Gateways

A sharp surge in attacks targeting PHP servers, Internet of Things (IoT) devices, and cloud gateways has been recorded by researchers from the Qualys Threat Research Unit (TRU). According to their findings, the escalation in activity is driven by the Mirai, Gafgyt, and Mozi botnets, which exploit known vulnerabilities and configuration flaws in cloud environments to rapidly expand their networks.

PHP remains one of the internet’s most vulnerable components—powering over 73% of all websites, with more than 80% of organizations reporting incidents linked to misconfigured cloud infrastructures. This makes PHP-based servers, including those running WordPress, a prime target for attacks aimed at remote code execution and data theft.

Researchers note that cybercriminals have long relied on routers and IoT devices to construct botnets. Nearly a decade ago, Mirai infected millions of devices using little more than 60 default login and password combinations. Today, that same strategy has reemerged in a modern form—botnets now exploit contemporary vulnerabilities and weaknesses within cloud systems.

Among the most actively exploited flaws, Qualys highlights several critical vulnerabilities:

• CVE-2022-47945 — a remote code execution flaw in ThinkPHP, stemming from improper user input filtering;
• CVE-2021-3129 — an exposed Laravel Ignition debug route active in production environments;
• CVE-2017-9841 — an outdated PHPUnit vulnerability allowing remote access via the eval-stdin.php script.

Attackers also take advantage of careless environment configurations—such as exposed debuggers like XDebug or unencrypted secrets. Numerous attempts have been observed to obtain AWS credential files from open Linux servers.

IoT devices remain a critical weak point due to outdated firmware. The report references CVE-2024-3721, a command injection vulnerability in TBK DVR systems already weaponized by Mirai-like botnets. Similar issues were found in MVPower DVR, where embedded backdoors allow full remote control.

Whereas botnets were once primarily deployed for DDoS attacks and cryptomining, they are now increasingly leveraged for credential harvesting, password brute-forcing, and large-scale identity compromise campaigns.

The threat extends well beyond the IoT sector. The CVE-2022-22947 flaw in Spring Cloud Gateway enables unauthenticated remote code execution, posing a significant risk to cloud-based systems. Meanwhile, developers often create and interconnect services faster than security teams can catalog or secure them—introducing new entry points for attackers.

Experts recommend that organizations adopt a risk-based approach to vulnerability management—prioritizing remediation based on asset criticality, likelihood of exploitation, and potential impact. Among Qualys’ key recommendations are timely component updates, disabling debugging tools in production, storing secrets within secure vaults, restricting network exposure, and continuously auditing cloud logs for abuse indicators.

TRU warns that sophisticated technical expertise is no longer required to inflict damage—exploits and scanning tools are readily available in the public domain, enabling even novice attackers to cause widespread disruption. The team urges organizations to implement continuous monitoring and automated patch management to defend PHP servers, IoT devices, and cloud infrastructures against this ongoing wave of attacks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy