During the weekend, threat actors have started to actively search the internet for Apache Tomcat servers impacted by the recently disclosed Ghostcat vulnerability (CVE-2020-1938), Bad Packets researchers have warned.

Discovered by Chinese cybersecurity firm Chaitin Tech, the flaw resides in the Tomcat AJP protocol and allows an attacker to read or include any files in the webapp directories of Tomcat, for example, read the webapp configuration files or source code, or execute malicious code on the target host if the the target web application allows to upload files.

“In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution,” the researchers said.

All unpatched Apache Tomcat 6, 7, 8, and 9 installations come with AJP Connector enabled by default and listening on all configured server IP addresses on port 8009.

The bug affects the following versions of Apache Tomcat:

• Apache Tomcat 9.x < 9.0.31

• Apache Tomcat 8.x < 8.5.51

• Apache Tomcat 7.x < 7.0.100

• Apache Tomcat 6.x

The Ghostcat flaw has been addressed in versions 7.0.100, 8.5.51, and 9.0.31.

Shodan search indicates that more than 890,000 Tomcat servers are currently exposed on the Internet, while BinaryEdge results show the number of servers exceeds 1 million. Also, shortly after the public disclosure of the Ghostcat vulnerability several security researchers shared proof-of-concept exploits (1, 2, 3, 4, 5) on GitHub.