Connect with us

Hi, what are you looking for?


Malware & Threats

Exploitation of Critical ownCloud Vulnerability Begins

Threat actors have started exploiting a critical ownCloud vulnerability leading to sensitive information disclosure.

Threat actors have started exploiting a critical information disclosure vulnerability in the open source file-sharing and collaboration software ownCloud only days after its public disclosure.

The vulnerability, tracked as CVE-2023-49103, impacts the Graphapi app, allowing attackers to retrieve sensitive environment variables, including credentials, license keys, and other system information.

Impacting Graphapi versions 0.2.0 to 0.3.0, the flaw cannot be mitigated by disabling the Graphapi app, and also requires changing passwords for administrative accounts, access keys, and credentials for the mail server and database.

ownCloud disclosed the vulnerability on November 21, along with two other critical issues in the software (CVE-2023-49104 and CVE-2023-49105). On Monday, the US cybersecurity agency CISA included the bugs in its weekly vulnerability roundup, without a severity rating.

Also on Monday, attack activity and exposed asset tracking services issued warnings about the first in-the-wild exploitation attempts targeting CVE-2023-49103.

Nonprofit cybersecurity organization Shadowserver Foundation warned that it has identified roughly 11,000 ownCloud instances that are exposed to the internet, and which are potentially at risk.

The largest number of these instances are in Germany (2,000), followed by the US (1,400), and France (1,300). Russia, Poland, the Netherlands, Italy, the UK, Canada, and Spain round up top 10, with hundreds of instances each.

Shadowserver warns that the vulnerability is very easy to exploit, urging administrators to follow the mitigation steps outlined by ownCloud.

Advertisement. Scroll to continue reading.

According to data from Greynoise, the targeting of CVE-2023-49103 started on November 25, with attacks originating from a single IP address. The number of exploitation attempts increased on Monday, with 11 unique IPs joining the fray.

Johannes Ullrich of the SANS Internet Storm Center too warned of activity targeting the ownCloud vulnerability, detailing five IPs involved in the observed attacks, which have scanned for files within vulnerable ownCloud instances.

“This pattern can suggest potential coordinated efforts by threat actors or botnets aiming to exploit the disclosed security flaw,” SOC Radar notes.

Ullrich, however, points out that there is a steady flow of attacks targeting ownCloud instances, many of which “are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords”.

Related: Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Related: In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover

Related: Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.