What happened
In 2017 attackers found an Equifax web application running a version of Apache Struts with a known, already-patched flaw. They used it to run commands on the server, then moved through the network and pulled out personal data for months.
Nothing about this was exotic. The vulnerability was public, the patch existed, and the exploit was widely available. The failure was that the fix never reached the one server that needed it.
How the flaw worked
The Struts flaw let an attacker smuggle code into a part of an HTTP request the framework would evaluate instead of treat as data. A crafted request became a command, and the command ran with the web server's privileges.
From there it was the usual story. Look around, find credentials, reach the databases, and quietly copy what is valuable.
Why a known bug became the worst kind
The technical flaw was ordinary. The damage came from process. No one had a reliable list of which systems ran Struts, so the patch was applied unevenly and one exposed app slipped through.
A single forgotten server, on a company holding data for half a country, was enough. The breach reshaped how regulators treat patch timelines and accountability.
How it unfolded
- Mar 7, 2017Apache releases a patch for the Struts flaw, with public advisories.
- Mar 10, 2017Exploitation of unpatched Struts apps is already happening in the wild.
- May 2017Attackers reach Equifax through an unpatched app and begin extracting data.
- Sep 2017Equifax discloses the breach. The fallout runs for years.
Where buggy.run fitsThe flaw that sank Equifax was public knowledge. The problem was that nobody confirmed the live, internet-facing app was actually fixed.
buggy.run checks your real running surface on a schedule, not once. A known-bad version answering on the internet is the kind of thing that should never sit there for months unseen.
What to take away
- Have a patch SLA for internet-facing apps and measure against it.
- Keep an accurate inventory. You cannot patch what you do not know you run.
- Re-scan continuously. A clean report last quarter says nothing about today.
- Treat one exposed server as enough to lose everything, because it is.

