Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Critical Apache Struts Vulnerability Exploited in Live Attacks

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.

Neither the Apache Software Foundation – which announced the availability of patches on August 22 – nor Semmle – the code analysis company that reported the bug in April – provided technical details, but a proof-of-concept (PoC) exploit for the vulnerability was published within days.

Now, Volexity says they have observed the first malicious campaign targeting the vulnerability. The attacks apparently started shortly after the PoC was released.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses and,” the security firm reveals.

The observed exploit attempts to retrieve a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

Among other actions, the shell script removes specific processes, deletes previous instances of the miner, and downloads three ELF cryptomining binaries. These are miner executables target
ing Intel, ARM, and MIPS architectures, which shows the broad scope of the attack.

“[I]t shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” Volexity points out.

The BitBucket folder appears to be an open directory that contains both the shell script and the ELF binaries. Mining account name is the same as the BitBucket account name, the security firm says.

Apache Struts framework’s popularity makes it a highly appealing target to cybercriminals and threat actors alike, and it’s no surprise that the recently addressed bug is already being abused for malicious purposes.

A Critical remote code execution flaw addressed in the framework in March 2017 was still being targeted one year later, SANS Internet Storm Center handler Guy Bruneau reported several months ago.

Related: Exploit for Recent Critical Apache Struts Vulnerability Published

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet