Threat actors have been targeting a previously disclosed, critical-severity remote code execution flaw in Apache HugeGraph Server, an open-source tool used in Java 8 and Java 11 environments that helps users build applications and products based on graph databases.
The flaw (CVE-2024-27348), which was first disclosed three months ago, impacts Apache HugeGraph Server from version 1.0.0 to the version before 1.3.0 in Java 8 and Java 11. Apache released a fix April 22, 2024, and urged users to upgrade to version 1.3.0 with Java 11 and enable the Auth system to fix the issue. In June, several proof-of-concept exploits were released for the flaw. Since then, threat actors have started targeting the flaw, according to nonprofit security organization the Shadowserver Foundation on Tuesday.
“We are observing Apache HugeGraph-Server CVE-2024-27348 RCE "POST /gremlin" exploitation attempts from multiple sources,” according to the Shadowserver Foundation on Tuesday. “PoC code is public since early June. If you run HugeGraph, make sure to update.”
The Shadowserver Foundation on Tuesday told Decipher they noticed an increase in exploitation attempts last week, but the original attempts started June 6. Meanwhile, Dick O’Brien, principal intelligence analyst for the Symantec threat hunter team, said attempts seemed to have started in earnest around June 20 when the team started seeing a “few hundred a day,” and they peaked between June 29 and July 6, when the team saw “several thousand on some days.” Since then, the exploitation attempts have started to trend downwards, said O’Brien.
In a detailed analysis of the flaw in June, researchers with SecureLayer7 found that the remote code execution bug enables threat actors to bypass sandbox restrictions and execute code remotely via the Gremlin query language.
"This allowed us to access and manipulate various methods, ultimately enabling us to change the task/thread name to bypass all security checks," said SecureLayer7 researchers. "It was patched by filtering critical system classes and adding new security checks in HugeSecurityManager."
Researchers with Symantec said that the flaw is severe. At a broader level, the flaw could enable threat actors to execute arbitrary commands on the server, ultimately allowing for data manipulation and full control over the server.
“The impact for organizations could be critical,” said Symantec's O’Brien. “A remote code execution vulnerability in a public facing system provides the keys to the kingdom for an attacker, providing them with a foothold on an organization's network. From there they can move [laterally] onto other systems. Organizations are left exposed to anything from ransomware to espionage.”