Critical ownCloud Vulnerability Under Active Exploitation

November 28, 2023

Threat actors have initiated the exploitation of a critical vulnerability in the open-source file-sharing and collaboration platform ownCloud. This vulnerability, identified as CVE-2023-49103, allows the exposure of sensitive environment variables, including credentials, license keys, and other system data. The vulnerability affects the Graphapi application and is applicable to versions 0.2.0 to 0.3.0. The flaw is so severe that disabling the Graphapi app does not mitigate the risk. It also necessitates the change of passwords for administrative accounts, access keys, and credentials for the mail server and database.

ownCloud made the vulnerability known on November 21, along with two other critical issues in the software (CVE-2023-49104 and CVE-2023-49105). The US cybersecurity agency CISA highlighted these bugs in its weekly vulnerability roundup on Monday, although it did not provide a severity rating. On the same day, services that track attack activity and exposed assets issued warnings about the first observed exploitation attempts targeting CVE-2023-49103.

The nonprofit cybersecurity organization Shadowserver Foundation has identified approximately 11,000 ownCloud instances that are exposed to the internet and potentially at risk. The majority of these instances are located in Germany (2,000), followed by the US (1,400), and France (1,300). The remaining instances are spread across Russia, Poland, the Netherlands, Italy, the UK, Canada, and Spain. Shadowserver has emphasized the ease with which this vulnerability can be exploited and has urged administrators to implement the mitigation steps outlined by ownCloud.

According to Greynoise data, the targeting of CVE-2023-49103 began on November 25, with attacks stemming from a single IP address. The number of exploitation attempts escalated on Monday, with an additional 11 unique IPs joining the attack. Johannes Ullrich of the SANS Internet Storm Center also issued a warning about activity targeting the ownCloud vulnerability, identifying five IPs involved in the observed attacks, which have been scanning for files within vulnerable ownCloud instances. SOC Radar noted that this pattern could suggest a coordinated effort by threat actors or botnets to exploit the disclosed security flaw. Ullrich, however, highlighted that there is a consistent stream of attacks targeting ownCloud instances, many of which are likely just trying to locate ownCloud instances to exploit old vulnerabilities or attempt weak passwords.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.