Remote code executionCVE-2017-56382017 6 min read

What was Equifax?

A fix for Apache Struts was already out. Equifax had it on the to-do list and did not apply it in time. Attackers used the same public flaw to walk in and take the records of 147 million people.

147M
people's records exposed
$700M+
in eventual settlements and penalties
1
missed patch on one internet-facing app
76 days
attackers had access before detection

What happened

In 2017 attackers found an Equifax web application running a version of Apache Struts with a known, already-patched flaw. They used it to run commands on the server, then moved through the network and pulled out personal data for months.

Nothing about this was exotic. The vulnerability was public, the patch existed, and the exploit was widely available. The failure was that the fix never reached the one server that needed it.

How the flaw worked

The Struts flaw let an attacker smuggle code into a part of an HTTP request the framework would evaluate instead of treat as data. A crafted request became a command, and the command ran with the web server's privileges.

From there it was the usual story. Look around, find credentials, reach the databases, and quietly copy what is valuable.

Why a known bug became the worst kind

The technical flaw was ordinary. The damage came from process. No one had a reliable list of which systems ran Struts, so the patch was applied unevenly and one exposed app slipped through.

A single forgotten server, on a company holding data for half a country, was enough. The breach reshaped how regulators treat patch timelines and accountability.

How it unfolded

  1. Mar 7, 2017
    Apache releases a patch for the Struts flaw, with public advisories.
  2. Mar 10, 2017
    Exploitation of unpatched Struts apps is already happening in the wild.
  3. May 2017
    Attackers reach Equifax through an unpatched app and begin extracting data.
  4. Sep 2017
    Equifax discloses the breach. The fallout runs for years.
Where buggy.run fits

The flaw that sank Equifax was public knowledge. The problem was that nobody confirmed the live, internet-facing app was actually fixed.

buggy.run checks your real running surface on a schedule, not once. A known-bad version answering on the internet is the kind of thing that should never sit there for months unseen.

What to take away

  • Have a patch SLA for internet-facing apps and measure against it.
  • Keep an accurate inventory. You cannot patch what you do not know you run.
  • Re-scan continuously. A clean report last quarter says nothing about today.
  • Treat one exposed server as enough to lose everything, because it is.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.