Back to All Scenarios
PASSEDsecurity / zero_day_exploit_detected
Zero-Day Exploit Detected — Active Exploitation of Unpatched Vulnerability
A zero-day remote code execution vulnerability in the Apache Struts framework is being actively exploited against the organization's public-facing Java applications. The EDR detects suspicious process execution patterns consistent with the exploit. CISA has not yet issued an advisory but threat intel feeds show active exploitation in the wild.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 46 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Apache Struts 6.3.0 (unpatched zero-day). 4 public-facing Java web applications. Exploit delivers webshell via OGNL injection. EDR detecting post-exploitation activity. No vendor patch available. WAF rules do not cover the new attack vector. Threat intel: active exploitation by APT group.
Injected Error Messages (3)
CrowdStrike Falcon CRITICAL detection — ExploitActivity on app-ext-01 and app-ext-02, technique: OGNL injection in Apache Struts content-type header, no CVE assigned yet (zero-day), post-exploitation: webshell 'cmd.jsp' deployed to /var/lib/tomcat/webapps/ROOT/, process tree: java -> /bin/bash -> curl (downloading secondary payload from 103.56.78.90), threat actor fingerprint matches APT-41 TTPs, IOC hash: SHA256:e4d9f7a...
app-ext-01 webshell detected — unauthorized file '/var/lib/tomcat/webapps/ROOT/cmd.jsp' created by java process, webshell accepting commands via GET parameter 'exec', outbound connections to 103.56.78.90 and 185.220.101.x (known APT infrastructure), local reconnaissance commands executed: 'whoami', 'cat /etc/passwd', 'netstat -tlnp', 'cat /proc/version', attempting lateral movement to internal database servers
app-ext-02 actively exploited — Apache Struts OGNL injection detected in access logs, malicious Content-Type header: '%{(#_memberAccess["allowStaticMethodAccess"]=true)}', webshell deployed, attacker enumerating internal network from compromised server, outbound data transfer detected: 2.4GB exfiltrated to external IP in last 30 minutes, internal API credentials harvested from application.properties
Neural Engine Root Cause Analysis
This is a security incident, not a monitoring failure. The CrowdStrike EDR console appears down because the monitored systems (app-ext-01 and app-ext-02) have been compromised by APT-41 using a zero-day OGNL injection attack against Apache Struts. The attackers deployed webshells and are downloading secondary payloads, likely causing system instability or defensive isolation. The 15 correlated incidents suggest either widespread compromise or automated security response isolation of affected systems.
Remediation Plan
1. IMMEDIATE: Isolate app-ext-01 and app-ext-02 from network to prevent lateral movement. 2. Verify EDR console connectivity and check if isolation is causing monitoring gaps. 3. Engage incident response team for forensic analysis of compromised systems. 4. Block IOC hash e4d9f7a... and IP 103.56.78.90 across all security controls. 5. Scan all Apache Struts instances for similar compromise indicators. 6. Patch or mitigate OGNL injection vulnerability once available. 7. Rebuild compromised systems from clean backups after forensic preservation.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjx2a405izobqe7su1qbqt