The researcher Ralf-Phillip Weinmann , managing director at security firm Comsecuris , has disclosed Vulnerability-related.DiscoverVulnerability a zero-day baseband vulnerability affecting Vulnerability-related.DiscoverVulnerability Huawei smartphones , laptop WWAN modules , and IoT components . Baseband is firmware used on smartphones to connect to cellular networks , to make voice calls , and transmit data . An attacker can exploit baseband flaws to eavesdrop Attack.Databreach mobile communications , take over the device making calls and sending SMS messages to premium numbers or to exfiltrate Attack.Databreach data . The expert revealed Vulnerability-related.DiscoverVulnerability the flaw this week at the Infiltrate Conference , the vulnerability could be exploited Vulnerability-related.DiscoverVulnerability by attackers to execute a memory-corruption attack against affected devices over the air . Fortunately , the attack is quite difficult to conduct . The baseband vulnerability resides in Vulnerability-related.DiscoverVulnerability the HiSilicon Balong integrated 4G LTE modems . The Balong application processor is called Kirin , it is produced by the Hisilicon Technologies , a subsidiary of Huawei Technologies . The affected firmware is present in several Huawei Honor smartphones , including the P10 , Huawei Mate 9 , Honor 9 , 7 , 5c and 6 . Weinmann believes that millions of Honor smartphones could be exposed to the to attack . Weinmann presented Vulnerability-related.DiscoverVulnerability multiple baseband vulnerabilities found in Vulnerability-related.DiscoverVulnerability the Kirin application processor . The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem , such as a number IoT devices . “ This baseband is much easier to exploit than other basebands . Why ? I ’ m not sure if this was intentional , but the vendor actually published the source code for the baseband which is unusual , ” Weinmann said . “ Also , the malleability of this baseband implantation doesn ’ t just make it good for device experimenting , but also network testing. ” Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data . Weinmann demonstrated several attack scenarios against mobile phones . A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator . The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing . Once the phone rebooted an attacker can gain persistence installing a rootkit . In a second attack scenario , the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware . “ It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network . Without this key material , a base station can not pose as a legit network towards the device. ” Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago . The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options . Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology . “ I have chosen to only disclose lower-severity findings for now . Higher severity findings are in the pipeline. ” Weinmann said .

A broad array of Android phones are vulnerable Vulnerability-related.DiscoverVulnerability to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover , a researcher has demonstrated Vulnerability-related.DiscoverVulnerability . The vulnerability resides in Vulnerability-related.DiscoverVulnerability a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices . Apple patched Vulnerability-related.PatchVulnerability the vulnerability with Monday 's release Vulnerability-related.PatchVulnerability of iOS 10.3.1 . `` An attacker within range may be able to execute arbitrary code on the Wi-Fi chip , '' Apple 's accompanying advisory warned Vulnerability-related.DiscoverVulnerability . In a highly detailed blog post published Vulnerability-related.DiscoverVulnerability Tuesday , the Google Project Zero researcher who discovered Vulnerability-related.DiscoverVulnerability the flaw said Vulnerability-related.DiscoverVulnerability it allowed the execution of malicious code on a fully updated 6P `` by Wi-Fi proximity alone , requiring no user interaction . '' Google is in the process of releasing Vulnerability-related.PatchVulnerability an update in its April security bulletin . The fix is available Vulnerability-related.PatchVulnerability only to a select number of device models , and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible . Company representatives did n't respond to an e-mail seeking comment for this post . The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values . The values , in turn , cause the firmware running on Broadcom 's wireless system-on-chip to overflow its stack . By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks , Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode . Beniamini 's code does nothing more than write a benign value to a specific memory address . Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point . Besides the specific stack overflow bugs exploited Vulnerability-related.DiscoverVulnerability by the proof-of-concept attack , Beniamini said Vulnerability-related.DiscoverVulnerability a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target . `` We ’ ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex , it still lags behind in terms of security , '' he wrote . `` Specifically , it lacks all basic exploit mitigations—including stack cookies , safe unlinking and access permission protection ( by means of [ a memory protection unit . ] ) '' The Broadcom chipset contains an MPU , but the researcher found that it 's implemented in a way that effectively makes all memory readable , writeable , and executable . `` We can conveniently execute our code directly from the heap . '' He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms . Given the severity of the vulnerability , people with affected Vulnerability-related.DiscoverVulnerability devices should install Vulnerability-related.PatchVulnerability a patch as soon as it 's available . For those with vulnerable iPhones , that 's easy enough . As is all too often the case for Android users , there 's no easy way to get Vulnerability-related.PatchVulnerability a fix immediately , if at all . That 's because Google continues to stagger the release Vulnerability-related.PatchVulnerability of its monthly patch bundle for the minority of devices that are eligible to receive it . At the moment , it 's not clear if there are effective workarounds available for vulnerable devices . Turning off Wi-Fi is one possibility , but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones , devices often relay Wi-Fi frames even when Wi-Fi is turned off

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined , because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password . This is according to technical analyses published Friday . Further ReadingIntel patches Vulnerability-related.PatchVulnerability remote hijacking vulnerability that lurked in chips for 7 years . As Ars reported Vulnerability-related.DiscoverVulnerability Monday , the authentication bypass vulnerability resides in Vulnerability-related.DiscoverVulnerability a feature known as Active Management Technology . AMT , as it 's usually called , allows system administrators to perform a variety of powerful tasks over a remote connection . Among the capabilities : changing the code that boots up computers , accessing the computer 's mouse , keyboard , and monitor , loading and executing programs , and remotely powering on computers that are turned off . In short , AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access . AMT , which is available with many vPro processors , was set up to require a password before it could be remotely accessed over a Web browser interface . But , remarkably , that authentication mechanism can be bypassed by entering no text at all . According to a blog post published Friday by Tenable Network Security , the cryptographic hash that the interface 's digest access authentication requires to verify someone is authorized to log in can be anything at all , including no string at all . `` Authentication still worked '' even when the wrong hash was entered , Tenable Director of Reverse Engineering Carlos Perez wrote . `` We had discovered a complete bypass of the authentication scheme . '' A separate technical analysis from Embedi , the security firm Intel credited with first disclosing Vulnerability-related.DiscoverVulnerability the vulnerability , arrived at the same conclusion . Embedi e-mailed the analysis to reporters , but did n't publish it online . Making matters worse , unauthorized accesses typically are n't logged by the PC because AMT has direct access to the computer 's network hardware . When AMT is enabled , all network packets are redirected to the Intel Management Engine and from there to the AMT . The packets bypass the OS completely . The vulnerable management features were made available in some but not all Intel chipsets starting in 2010 , Embedi has said . In a blog post published Friday , Intel officials said they expect PC makers to release Vulnerability-related.PatchVulnerability a patch next week . The releases will update Vulnerability-related.PatchVulnerability Intel firmware , meaning patching Vulnerability-related.PatchVulnerability will require that each vulnerable chip set is reflashed . In the meantime , Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers . Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied Vulnerability-related.PatchVulnerability . Computer makers Fujitsu , HP , and Lenovo , have also issued advisories for specific models they sell .

Security researchers at Qualys Security have discovered Vulnerability-related.DiscoverVulnerability a Linux flaw that could be exploited Vulnerability-related.DiscoverVulnerability to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems . The high severity flaw , tracked as Vulnerability-related.DiscoverVulnerability CVE-2017-1000367 , resides in Vulnerability-related.DiscoverVulnerability the Sudo ’ s get_process_ttyname ( ) for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem . The Linux flaw could be exploited Vulnerability-related.DiscoverVulnerability by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root . The Sudo ’ s get_process_ttyname ( ) function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . These fields are space-separated , the field 2 ( comm , the filename of the command ) can contain spaces . Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command ’ s output , including root-owned files . “ We discovered Vulnerability-related.DiscoverVulnerability a vulnerability in Sudo ’ s get_process_ttyname ( ) for Linux : this function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . Unfortunately , these fields are space-separated and field 2 ( comm , the filename of the command ) can contain spaces ( CVE-2017-1000367 ) . ” reads the security advisory . “ On an SELinux-enabled system , if a user is Sudoer for a command that does not grant him full root privileges , he can overwrite any file on the filesystem ( including root-owned files ) with his command ’ s output , because relabel_tty ( ) ( in src/selinux.c ) calls open ( O_RDWR|O_NONBLOCK ) on his tty and dup2 ( ) s it to the command ’ s stdin , stdout , and stderr . This allows any Sudoer user to obtain full root privileges. ” To exploit the issue , a Sudo user would have to choose a device number that doesn ’ t exist under “ /dev ” . If the terminal isn ’ t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev , the user could allocate a pseudo-terminal between the two searchers and create a “ symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm , ” “ Exploiting the bug requires that the user already have sudo privileges . SELinux must also be enabled on the system and sudo must have been built with SELinux support . To exploit the bug , the user can choose a device number that does not currently exist under /dev . If sudo does not find the terminal under the /dev/pts directory , it performs a breadth-first search of /dev . It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev . The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm. ” read a Sudo alert . “ This file will be used as the command ’ s standard input , output and error when an SELinux role is specified on the sudo command line . If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo , it is possible to overwrite an arbitrary file by writing to the standard output or standard error . This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. ” The Linux flaw affects Vulnerability-related.DiscoverVulnerability all Sudo versions from 1.8.6p7 through 1.8.20 , the Sudo 1.8.20p1 fixes Vulnerability-related.PatchVulnerability it , the issue was rated with a CVSS3 Base Score of 7.8 .

The zero-day memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploited Vulnerability-related.DiscoverVulnerability to execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmed Vulnerability-related.DiscoverVulnerability right now by Microsoft . Without revealing Vulnerability-related.DiscoverVulnerability the actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayed Vulnerability-related.DiscoverVulnerability the severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been released Vulnerability-related.DiscoverVulnerability publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the manner in which Windows handles SMB traffic that could be exploited Vulnerability-related.DiscoverVulnerability by attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patches Vulnerability-related.PatchVulnerability the memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fix Vulnerability-related.PatchVulnerability the issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .

The zero-day memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploited Vulnerability-related.DiscoverVulnerability to execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmed Vulnerability-related.DiscoverVulnerability right now by Microsoft . Without revealing Vulnerability-related.DiscoverVulnerability the actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayed Vulnerability-related.DiscoverVulnerability the severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been released Vulnerability-related.DiscoverVulnerability publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the manner in which Windows handles SMB traffic that could be exploited Vulnerability-related.DiscoverVulnerability by attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patches Vulnerability-related.PatchVulnerability the memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fix Vulnerability-related.PatchVulnerability the issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .

A miscreant using the handle @ cyberzeist claims Vulnerability-related.DiscoverVulnerability to have infiltrated Plone CMS used by FBI.gov , using a zero day flaw allegedly for sale on an unnamed dark web site . The Register has contacted the FBI to confirm the allegations . The agency was not immediately available for comment – although a staffer said they were aware of the alleged break-in . Cyberzeist claims to have conducted the hack last month and has posted to Twitter what they claim are screen captures showing the FBI patching Vulnerability-related.PatchVulnerability against the vulnerability , which appeared to permit public access . The hacker dumped Attack.Databreach the 155 purported stolen credentials to online clipboard pastebin , claiming Vulnerability-related.DiscoverVulnerability a vulnerability resides in Vulnerability-related.DiscoverVulnerability a Plone Python module . Cyberzeist also claimed the FBI contacted the hacker requesting a copy of the stolen credentials , which they declined to provide . The hacker reckoned the CMS was hosted on a virtual machine running a custom FreeBSD . They said they will tweet the zero day flaw once it is no longer for sale .

The hacker leaked Attack.Databreach the FBI.GOV accounts that he found in several backup files ( acc_102016.bck , acc_112016.bck , old_acc16.bck , etc ) . Leaked records contain accounts data , including names , SHA1 Encrypted Passwords , SHA1 salts , and emails . The intrusion occurred on December 22 , 2016 , the hacker revealed Vulnerability-related.DiscoverVulnerability to have exploited Vulnerability-related.DiscoverVulnerability a zero-day vulnerability in the Plone Content Management System Going back to 22nd December 2016 , I tweeted about Vulnerability-related.DiscoverVulnerability a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date . The vulnerability resides in Vulnerability-related.DiscoverVulnerability some python modules of the CMS . The hacker noticed that while media from Germany and Russia published the news about the hack , but US based publishers ignored it . According to CyberZeist , the FBI contacted him to pass on the leaks . `` I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them . just because I was waiting for FBI to react on time . They didn ’ t directly react and I don ’ t know yet what are they up to , but at the time I was extracting my finds after hacking FBI.GOV , '' he wrote . The expert added further info on the attack , while experts at the FBI were working to fix Vulnerability-related.PatchVulnerability the issue , he noticed Vulnerability-related.DiscoverVulnerability that the Plone 0day exploit was still working against the CMS backend . ) , but I was able to recon that they were running Vulnerability-related.PatchVulnerability FreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations . Their last reboot time was 15th December 2016 at 6:32 PM in the evening . `` While exploiting FBI.GOV , it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files ( .bck extension ) on that same folder where the site root was placed ( Thank you Webmaster ! ) , but still I didn ’ t leak out Attack.Databreach the whole contents of the backup files , instead I tweeted out Vulnerability-related.DiscoverVulnerability my findings and thought to wait for FBI ’ s response '' Now let ’ s sit and wait for the FBI ’ s response . I obviously can not publish Vulnerability-related.DiscoverVulnerability the 0day attack vector myself . The hacker confirmed Vulnerability-related.DiscoverVulnerability that the 0-day is offered for sale on Tor by a hacker that goes by the moniker “ lo4fer ” . Once this 0day is no longer being sold , I will tweet out Vulnerability-related.DiscoverVulnerability the Plone CMS 0day attack vector myself . Let ’ s close with a curiosity … CyberZeist is asking you to chose the next target . The hacker is very popular , among his victims , there are Barclays , Tesco Bank and the MI5 .

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .