In what is shaping up to be potentially the biggest security threat of 2018, proof-of-concept code has been found on GitHub that allows for easy exploitation of the critical vulnerability discovered in Apache Struts 2 Aug. 22.

Discovered by security researchers at Recorded Future Inc. Friday, the code, which allows attackers to exploit the flaw by adding their own namespace to the URL as part of an HTTP request, is said to also include a Python script that allows for easy exploitation.

Allan Liska, a senior security architect at Recorded Future, told SiliconANGLE that the vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax.

Unlike the vulnerability used in the hack of Equifax, the Apache Struts 2 vulnerability “does not require any plugins to be present in order to exploit it” because “a simple well-crafted URL is enough to give an attacker access to a victim’s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Liska explained. “The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto Networks.”

Although difficult to pin exactly how many servers use Apache Struts 2, Recorded Future said it believes that the vulnerability “affects hundreds of millions of systems.”

Oege de Moor, the chief executive officer of Semmle Ltd., the company that discovered the vulnerability, said that although he can’t confirm whether the reported proof-of-concept actually works, if it does, attackers now have a quicker way to break into enterprises.

“There is always a time lag between the announcement of a patch and a company updating its software,” de Moor said. “There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.”

Pointing out the need to apply security updates, de Moor added that “the Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company that hasn’t had the time to update its software will now be at even greater risk.”

Image: Apache