29 November 2023

Mass-exploitation of high-risk ownCloud bug observed in the wild


Mass-exploitation of high-risk ownCloud bug observed in the wild

Threat actors have begun targeting a high-risk information disclosure flaw in the open-source file-sharing and collaboration software ownCloud mere days after the bug was publicly disclosed.

Tracked as CVE-2023-49103, the vulnerability resides in the Graphapi app (employs a third-party library (GetPhpInfo.php), which exposes the environment variables of the webserver, including sensitive data such as the ownCloud admin password, mail server credentials, and license keys. The flaw impacts Graphapi versions 0.2.0 to 0.3.0.

The vendor disclosed the vulnerability on November 21 along with two other vulnerabilities tracked as CVE-2023-49104 (subdomain validation bypass in ownCloud oauth2) and CVE-2023-49105 (authentication bypass in ownCloud WebDAV API).

As exploitation of CVE-2023-49103 requires no substantial efforts, it’s no surprise that threat actors have already begun targeting the bug.

Threat tracking outfit Greynoise reported it has observed mass exploitation of this vulnerability in the wild as early as November 25, 2023. Nonprofit cybersecurity organization Shadowserver Foundation has also observed exploitation attempts. According to the organization, currently, there are more than 11,000 ownCloud instances exposed on the internet, with the majority of them located in Germany, the US, and France.

Back to the list

Latest Posts

Cyber Security Week in Review: June 21, 2024

Cyber Security Week in Review: June 21, 2024

In brief: The US bans Russia’s Kaspersky software, Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days, and more.
21 June 2024
Russian Nobelium hackers  target French diplomatic entities and public orgs

Russian Nobelium hackers target French diplomatic entities and public orgs

Nobelium's tactics involve using hacked legitimate email accounts belonging to diplomatic staff to conduct phishing campaigns.
20 June 2024
Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

The group relies heavily on valid credentials for lateral movement between guest virtual machines on compromised VMware ESXi servers.
20 June 2024