Scanning for Apache Struts Vulnerability CVE-2017-5638
Last Updated: 2018-03-25 20:12:55 UTC
by Guy Bruneau (Version: 1)
Over the past two weeks, I have noticed several attempts against my honeypot looking to exploit CVE-2017-5638 Apache Struts2 vulnerability that look very similar to this python script. Today alone I recorded 57 attempts against port 80, 8080 and 443. T format of the queries I have observed over the past two weeks contain one of these two requests:
GET /index.action 
GET /verifylogin.do 
Our original diary was posted a year ago (March 2017) about this critical vulnerability where we recommend patching immediately. "It is also knowns as "Jakarta Struts" and "Apache Struts". The Apache project currently maintains Struts." For additional information about this vulnerability, the original advisory is posted here.
Guy Bruneau IPSS Inc.
gbruneau at isc dot sans dot edu