Verodin Alert: Apache Struts Update

By now, most are up-to-date with the recent Equifax event. If you haven’t been following the new developments, it was reported on Friday (09/08/2017) that Equifax is pointing to a flaw in the software running its online databases, the hugely popular open-source software, Apache Struts, for the unprecedented theft of 143 million American citizens’ personal data. Hackers accessed social security numbers, driver’s license numbers, credit card information and more through the Apache Struts vulnerability.    

Apache Struts is estimated to be used by 65% of F100 companies. Many of the enterprises in this statistic are Verodin customers. On Friday, The Verodin Behavior Research Team (BRT) published a round of attack patterns demonstrating the exploitation of a 2.5.10 Struts server. The Verodin community is empowered with the ability to definitively answer the question every security team is asking right now: “Can this happen to us?” With Verodin, organizations can measure and improve the effectiveness of their security stack against the Apache Struts vulnerability.     

The Verodin BRT Apache Struts behavior release includes two actions:  

VID A100-107: Web Application Vulnerability – Apache Struts CVE-2017-9805, Vulnerability Probe

An action that shows an attacker posting a malicious XML document — exploiting CVE-2017-9805 to a web server. The web server’s response is intentionally limited; use this action to test your defenses against the exploit without possible giveaways such as unobfuscated shell interaction.

VID A100-108:  Web Application Vulnerability – Apache Struts CVE-2017-9805, Reverse Shell

Similar to A100-107, this action shows exploitation of CVE-2017-9805. The A100-108 goes further by including likely post exploitation behavior including a reverse shell along with several commands. To take the scenario further, Verodin recommend pairing the action with one of the data exfiltration actions from Verodin SIP’s threat library.  

Content Availability: Verodin customers and partners have access to these updates via their respective Verodin support portals. Also, Verodin’s open content platform allows customers to develop custom actions, evaluations, and sequences as needed with 3rd party attack data. Drag and drop PCAP into the Verodin console and easily weaponize in under five minutes.


Verodin is the first business platform to measure, manage and improve cybersecurity effectiveness.

Verodin Security Instrumentation Platform (SIP) empowers enterprises to remove assumptions and prove their security effectiveness with quantifiable, evidence-based data. With Verodin SIP, you can observe and adjust real responses to real attacks without ever putting production systems in danger. Verodin customers dramatically increase the ROI of their existing security investments, achieve maximum value from future spending and measurably mature their cyber prevention, detection and response capabilities.

back to blog
Business Need