A simple and reliable bug has been found in a widely used web app framework, which is now being increasingly exploited by hackers and malicious agents to spread malware, and collect server bots. Exploits targeting the bug are publicly available online, and even though a patch has been released, many sites are still vulnerable.
Security researchers are warning they’ve seen a spike in attacks that utilize an Apache Struts 2 vulnerability over the last 48 hours since a patch for the bug has been put out. It’s unclear why attackers are becoming much more active after a vulnerability was officially taken care of, but many sites are reportedly still at risk.
The hackers taking advantage of this exploit can use it to disable a server’s firewall, upload payloads and execute any commands on the target system. Cisco researcher Nick Biasni said in a statement quoted by Ars Technica:
The payloads being delivered vary considerably, and to their credit, many of the sites have already been taken down and the payloads are no longer available. They fall into two broad categories: probing and malware distribution. These are several of the many examples of attacks we are currently observing and blocking.
According to security companies, tracking the bug as CVE-2017-5638, the following versions of the web application framework are vulnerable: Apache Struts 2.3.5 – 2.3.31, Apache Struts 2.5 – 2.5.10. Researchers have also said that existing exploits are publicly available, highly reliable and trivial to use, especially as they don’t require any authentication on the attacked server.