{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aoraclecommunications_design_studio7.3.5.5.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_asap_cartridges:7.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_asap_cartridges:7.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_design_studio:7.4.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_order_and_service_management:7.3.0.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2019-0227"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Axis"],"_cs_severities":["critical"],"_cs_tags":["ssrf","rce","apache"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eA public exploit has been published detailing a Server-Side Request Forgery (SSRF) vulnerability in Apache Axis version 1.4 and earlier, tracked as CVE-2019-0227. The vulnerability can lead to remote command execution (RCE) if the \u003ccode\u003eenableRemoteAdmin\u003c/code\u003e attribute is set to \u003ccode\u003etrue\u003c/code\u003e. An attacker can leverage the \u003ccode\u003eAdminService\u003c/code\u003e interface to deploy a malicious WebService and use a \u003ccode\u003eLogHandler\u003c/code\u003e to write a Webshell. The availability of a working exploit, particularly the \u003ccode\u003eaxis_exp.py\u003c/code\u003e Python script, significantly increases the risk to unpatched Apache Axis installations with the \u003ccode\u003eenableRemoteAdmin\u003c/code\u003e setting enabled. This script automates the deployment of malicious services and facilitates interactive command execution on the compromised server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/axis/services/AdminService\u003c/code\u003e to deploy a malicious service.\u003c/li\u003e\n\u003cli\u003eThe deployed service creates a \u003ccode\u003eRandomService\u003c/code\u003e that triggers a \u003ccode\u003eRandomLog\u003c/code\u003e on each request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRandomLog\u003c/code\u003e handler is configured to write a JSP webshell (e.g., \u003ccode\u003eshell.jsp\u003c/code\u003e) to the web application\u0026rsquo;s root directory (e.g., \u003ccode\u003e../webapps/ROOT/shell.jsp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/axis/services/RandomService\u003c/code\u003e to trigger the \u003ccode\u003eRandomLog\u003c/code\u003e handler and write the JSP webshell.\u003c/li\u003e\n\u003cli\u003eThe webshell writes JSP code from the request into the \u003ccode\u003eshell.jsp\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to \u003ccode\u003e/shell.jsp?c=command\u003c/code\u003e, where \u003ccode\u003ecommand\u003c/code\u003e is the system command to execute.\u003c/li\u003e\n\u003cli\u003eThe server executes the command passed in the \u003ccode\u003ec\u003c/code\u003e parameter and returns the result.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the target system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary system commands on the target server. This can lead to complete system compromise, data theft, and deployment of further malicious payloads. The exploit tool automates webshell deployment, lowering the barrier to entry for attackers. Exposed Apache Axis installations are vulnerable if the \u003ccode\u003eenableRemoteAdmin\u003c/code\u003e setting is enabled, and if exploited can result in significant data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable the \u003ccode\u003eenableRemoteAdmin\u003c/code\u003e attribute in the Apache Axis configuration to prevent remote administration as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for POST requests to \u003ccode\u003e/axis/services/AdminService\u003c/code\u003e as a potential indicator of exploit attempts (see the rule \u0026ldquo;Detect CVE-2019-0227 Exploitation Attempt via AdminService\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict access to the \u003ccode\u003e/services/AdminService\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Webshell Creation via Axis LogHandler\u0026rdquo; to identify webshell creation attempts via the LogHandler.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for GET requests to JSP files in the web application\u0026rsquo;s root directory with a \u0026lsquo;c\u0026rsquo; parameter for command execution as indicators of compromise.\u003c/li\u003e\n\u003cli\u003eUpgrade to a supported and patched version of Apache Axis or migrate to another web service framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T13:01:35Z","date_published":"2026-05-16T13:01:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apache-axis-ssrf/","summary":"A public exploit has been released for CVE-2019-0227, a Server-Side Request Forgery vulnerability in Apache Axis 1.4 and earlier, allowing unauthenticated remote command execution when `enableRemoteAdmin` is true via deployment of a malicious webservice and webshell.","title":"Apache Axis 1.4 Server-Side Request Forgery Vulnerability (CVE-2019-0227) Exploit","url":"https://feed.craftedsignal.io/briefs/2026-05-apache-axis-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}