This article is more than 1 year old

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

Underground forums alight with Struts chat, we hear

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild.

Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said.

The vulnerability appears to be easier to exploit than the Struts flaw that was used in the infamous Equifax breach, so cryptocurrency scams may be the least of our worries.


Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching


CVE-2018-11776 affects versions 2.3 up to 2.3.34 as well as Struts 2.5 up to 2.5.16. It also poses a potential risk to unsupported versions of the framework. Uncovered by software engineering analytics firm Semmle, the vuln is caused by insufficient validation of untrusted user data in the core of the Struts framework. The security flaw allows a remote, unauthenticated user to execute arbitrary code on the system they've targeted.

Developers at the Apache Software Foundation have urged sysadmins to update their systems (to 2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5 – see here), as The Register previously reported.

"An attacker can exploit the flaw by adding their own namespace to the URL as part of an HTTP request," threat intel firm Recorded Future warned. "Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation."

Image by Vaniato

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too


Hackers are buzzing over the bug. Recorded Future said it has picked up "chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability".

"Unlike last year's Apache Struts exploit (CVE-2017-5638), which was at the centre of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it," Recorded Future added in a blog post about the bug. ®

More about


Send us news

Other stories you might like