ShadowSyndicate Hackers Exploit Aiohttp Vulnerability To Steal Sensitive Data

A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2.

This vulnerability allows remote attackers to access sensitive files on the server because aiohttp doesn’t validate file reading within the root directory when ‘follow_symlinks’ is enabled. 

Aiohttp is a popular asynchronous HTTP framework used in over 43,000 internet-exposed instances, making them prime targets for attackers, as patching to Aiohttp 3.9.2 or later is crucial to mitigate this vulnerability. 

Exposure of AIOhttp instances 

One of the most widely used Python libraries for asynchronous HTTP communication, it has a directory traversal vulnerability (CVE-2024-23334) that can be exploited by unauthenticated attackers.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


Geographical Distribution of AIOhttp Exposures. 
Geographical Distribution of AIOhttp Exposures. 

The critical flaw (CVSS: 7.5) stems from insufficient validation when following symbolic links with the `aiohttp.web.static(follow_symlinks=True)` option, where an attacker can craft requests to access unauthorized files outside the intended directory structure, potentially compromising sensitive server data.  

A publicly available Proof of Concept (PoC) for the CVE-2024-23334 exploit, accompanied by a detailed YouTube video, was released on February 27th, which was followed by rapid exploitation attempts. 

Scanning attempts on Aio HTTP servers captured by CGSI 
Scanning attempts on Aio HTTP servers captured by CGSI 

Cyble Global Sensor Intelligence (CGSI) detected scanning activity targeting this vulnerability just a day later, on February 29th, and the activity has been ongoing since, which indicates that threat actors (TAs) were quick to leverage the publicly available information to exploit vulnerable systems. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Aiohttp, a Python asynchronous HTTP framework, allows defining static file serving routes with a root directory.

An option, `follow_symlinks,` controls following symbolic links. When enabled, it lacks proper validation, allowing attackers to access arbitrary files on the server even without symlinks. 

The directory traversal vulnerability arises because paths are constructed by joining the requested path with the root directory, enabling attackers to traverse outside the intended area using carefully crafted requests. 

IP has been identified as linked to LockBit ransomware activity and the ShadowSyndicate group.

Active since July 2022, ShadowSyndicate is a RaaS affiliate that employs various ransomware strains. 

Group-IB researchers connected them to incidents involving Quantum (September 2022), Nokoyawa (October 2022, November 2022, March 2023), and ALPHV (February 2023) ransomware, demonstrating their wide-ranging and frequent ransomware attacks. 

The following IPs,,,,, and, were identified as indicators of compromise, which were observed attempting to exploit a vulnerability, CVE-2024-23334 suggesting that systems associated with these IPs might be malicious and should be investigated further.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.