Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Actively Exploited Struts Flaw Affects Cisco Products

Cisco informed customers on Friday that at least some of its products are affected by an Apache Struts2 command execution vulnerability that has been exploited in the wild over the past days.

Cisco informed customers on Friday that at least some of its products are affected by an Apache Struts2 command execution vulnerability that has been exploited in the wild over the past days.

The flaw has been confirmed to affect the Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software. The networking giant has published a list of dozens of products that are not affected, but there are still many products under investigation.

While the vulnerability has been actively exploited to deliver malware, Cisco has not found any evidence of attacks targeting its products. Nevertheless, the company has warned users that exploits for this flaw are publicly available. It’s worth noting that Cisco’s Talos group was the first to warn of active attacks.

The security hole, identified as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10, and it was addressed on March 6 with the release of versions 2.3.32 and 2.5.10.1. The first attacks were spotted one day later when someone published a proof-of-concept (PoC) exploit.

The vulnerability exists in the Jakarta Multipart parser and is caused by the improper handling of Content-Type header values. A remote, unauthenticated attacker can exploit the weakness to execute arbitrary commands by sending a specially crafted HTTP request.

Researchers observed exploitation attempts whose goal was to determine if a system is vulnerable, and ones where attackers attempted to deliver various types of malware, including IRC bouncers and DoS/DDoS bots.

Advertisement. Scroll to continue reading.

Rapid7 has been monitoring attacks and, based on data from its honeypots, determined that much of the malicious traffic comes from two machines apparently located in China.

Cisco and other security vendors have started releasing firewall rules that should block such attacks. Tinfoil Security has made available an online tool that allows website owners to check if they are vulnerable to attacks exploiting CVE-2017-5638.

Related: Microsoft Patches 4 Vulnerabilities Exploited in the Wild

Related: Recently Patched Drupal Flaw Exploited in the Wild

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.