Apache

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

This rule detects potential command execution from a web server parent process on a Linux host, indicating a possible web shell attack where adversaries exploit web server vulnerabilities to execute arbitrary commands.

A public exploit demonstrates improper privilege management in Apache CouchDB (CVE-2017-12635) leading to privilege escalation, which can be combined with CVE-2017-12636 for remote code execution by modifying server configurations via the HTTP API.

A remote, anonymous attacker can exploit a vulnerability in Apache Tika to read sensitive data or trigger malicious requests to internal resources or third-party servers.

A critical deserialization of untrusted data vulnerability (CVE-2025-54539) exists in Apache ActiveMQ NMS AMQP Client <= v2.3.0, where an attacker controlling or impersonating an AMQP broker can send malicious serialized data that the client deserializes unsafely, allowing arbitrary code execution on the client system.

CVE-2026-44930 is an LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF that may allow an attacker to retrieve arbitrary certificates from the repository.

A remote, anonymous attacker can exploit a vulnerability in Apache Tomcat to bypass security measures.

Multiple vulnerabilities in Apache OFBiz could allow an attacker to execute arbitrary code, circumvent security measures, manipulate data, disclose confidential information, or conduct cross-site scripting attacks.

A public exploit has been released for CVE-2019-0227, a Server-Side Request Forgery vulnerability in Apache Axis 1.4 and earlier, allowing unauthenticated remote command execution when `enableRemoteAdmin` is true via deployment of a malicious webservice and webshell.

Multiple vulnerabilities in Apache Camel could allow an attacker to execute arbitrary code, manipulate data, or disclose sensitive information.

A remote, anonymous attacker can exploit a vulnerability in Apache Camel to execute arbitrary program code with the privileges of the service.

Multiple vulnerabilities in Apache Solr could be exploited by an attacker to bypass security measures, manipulate data, and disclose sensitive information.

Siemens Opcenter RDnL is vulnerable to missing authentication in critical function (CVE-2026-27446), where an unauthenticated attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker, potentially leading to availability impacts and message injection.

Apache HertzBeat 1.8.0 is vulnerable to remote code execution due to a newly published exploit, posing a significant risk to unpatched systems.

A local attacker can exploit a vulnerability in Apache Cassandra to execute arbitrary program code, potentially leading to complete system compromise.

A remote, authenticated attacker can exploit multiple vulnerabilities in Apache Airflow Providers OpenSearch and Elasticsearch to disclose sensitive information.

A vulnerability in Apache NiFi allows a remote attacker to execute arbitrary program code on the affected system.

An authenticated, remote attacker can exploit multiple vulnerabilities in Apache NiFi to execute arbitrary code and achieve unspecified impacts.

The OpenSearch logging provider in Apache Airflow Providers OpenSearch versions before 1.9.1 wrote host URLs containing embedded credentials into task logs, potentially exposing them to unauthorized users with task-log read permission (CVE-2026-43826).

A vulnerability in Apache HTTP Server's HTTP/2 protocol can lead to denial of service by crashing worker processes, and in specific configurations (APR with mmap), remote code execution.

Multiple vulnerabilities in Apache Wicket could allow an attacker to bypass security measures, perform Cross-Site Scripting (XSS) attacks, disclose confidential information, or manipulate data.

Multiple vulnerabilities in Apache HTTP Server can be exploited by an attacker to gain elevated privileges, execute arbitrary code, bypass security measures, disclose sensitive information, or cause a denial-of-service condition.

Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.67 can allow remote attackers to execute arbitrary code, escalate privileges, or cause a denial of service.

A critical arbitrary code execution vulnerability (CVE-2026-41635) exists in Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5 due to missing class validation in the AbstractIoBuffer.resolveClass() method, potentially allowing attackers to execute arbitrary code on applications using Apache MINA.

BridgeHead FileStore versions prior to 24A are vulnerable to unauthenticated remote code execution via exposed Apache Axis2 administration module with default credentials, enabling attackers to upload malicious web services and execute arbitrary OS commands.

An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.

Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.

OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.