[2025.05] Web Attack Trend Report

Posted on 2025-06-242025-06-30 by marketing

1. Weekly web attack trends You can analyze weekly web attack trends to see when web attacks are concentrated at any given time. Based on this, you can use it to plan proactive prevention and response strategies for peak attack periods. The graph below visualizes the number of web attacks detected by AIWAF during the month of May 2025, on a weekly basis. Analyzing AIWAF detected data for the month of May 2025, we detected an average of approximately 380,000+ web attacks per day, which is a significant increase from the previous month and indicates that the threats to web servers continue to escalate. We also observed a higher frequency of attacks on weekends (Saturday and Sunday) than on weekdays, which could indicate a strategic approach to take advantage of lower web server utilization during non-business hours. Notably, May 21 saw the highest concentration of web attacks during the entire period, with SQL Injection accounting for the highest percentage of attack types detected on that day. SQL Injection is a common attack method that manipulates databases to take over system privileges or steal internal information. Attackers often use this technique to bypass a system’s user authentication process or to gain insight into the database structure, which makes it especially important for organizations to protect their sensitive information. In fact, AIWAF categorizes SQL Injection as a high-risk attack type with the most detection patterns. The results of this analysis show that major web attack types, including SQL Injection, require continued attention and sophisticated countermeasure strategies, and will provide an important basis for future detection and blocking policies. 2. Web attack trends by attack type By analyzing web attack trends by attack type based on detection logs, you can systematically identify which types of attacks are most frequent over the course of a month. This analysis is more than just a statistic; it is a key reference point for refining your organization’s security policy and response. Analyzing the detection logs collected by AIWAF during the month of May 2025, we detected a wide range of web attacks, some of which showed distinct patterns, such as being concentrated in certain time periods or accounting for a high proportion of the total number of attacks. In particular, classic and still threatening attack types such as SQL Injection and System File Access are at the top of the list, and they tend to be carried out repeatedly, often by automated attack tools or botnets. The graph below visualizes the distribution of web attack types detected by AIWAF as of May 2025. According to the statistics by type of web attack detected by AIWAF in the month of April 2025, SQL Injection was the most prevalent, accounting for 24.95% of all detections. This was followed by System File Access (18.55%), Default Page (15.43%), and Directory Traversal (12.16%). This calls for more precise responses and proactive measures against this particular type of attack. First of all, SQL Injection is a type of attack that is always high on the OWASP Top 10, and the attack techniques are highly evolving. This attack typically occurs when values passed via user input are embedded in SQL queries and executed verbatim, which can be exploited by an attacker to bypass improper authentication, view database structures, steal sensitive data, and more. Organizations are particularly vulnerable to these attacks if they use dynamic queries or lack validation of input values. System File Access (18.55%), the second highest percentage, refers to attempts by attackers to exploit vulnerabilities in web applications to gain unauthorized access to files and directories inside the system or to manipulate arbitrary files. These attacks can be caused by web server configuration issues, insufficient access controls, directory path validation failures, etc. and can lead to system privilege takeover or backdoor installation if successful. The third highest category, Default Page (15.43%), targets pages that retain their initial settings after installation or system message pages. They expose information during the information gathering phase that can be used in subsequent attacks to determine the type of software and configuration of the system. While this attack type is largely passive, it is often detected in high volume by automated scanners, making early detection and response critical. Directory traversal (12.16%), the fourth most common, can expose sensitive system files or the source code of an application. This vulnerability can be particularly devastating in applications that perform file operations based on user input. With the increasing integration of cloud-based SaaS systems or API-based services, inadequate file access control can also pose a significant threat to cloud infrastructure, which may influence the creation of stricter cloud security policies in the future. 3. Summary of web attack trend graphs for the last 3 months February March April 4. Top 30 Attacker IPs 5. Vulnerability analysis reports [Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813) A. Overview Apache Tomcat is an open source software under the Apache License Version 2 that provides a servlet container for running Java Server Pages (JSPs) and Java Servlets. This software is widely used as a servlet container in commercial web application servers, and we have analyzed RCE vulnerabilities in this software. Source : https://tomcat.apache.org/ B. Attack types CVE-2025-24813 stems from the way Tomcat handles partial PUT requests and allows an unauthenticated user to perform remote code execution (RCE), view security-sensitive files, and inject content into those files. The attacker sends a PUT request to the server that contains a Base64-encoded serialized Java payload. This payload is designed to trigger an RCE upon deserialization. Ex) Create Java-based payloads Ex) Generate exploit upload packets Ex) Apache Tomcat incorrectly treats this file as a legitimate session object due to directory traversal After sending the above request, the attacker sends a GET request with a specially crafted “JSESSIONID” cookie that references the malicious session, causing the server to deserialize the payload and execute arbitrary code. Ex) C. What to do CVE-2025-24813 is addressed by security patches in Tomcat 9.0.99 and later, 10.1.35 and later, 11.0.3 and later, and we recommend using these versions or later. For this vulnerability, our WAF will be further analyzed and updated to address attacks via encoded bypass paths such as /..;/, %2e%2e%3b/, ;%2e%2e/, etc. D. Conclusion Apache Tomcat, a popular Java-based web application server used worldwide, was recently discovered to contain an RCE vulnerability, identified as CVE-2025-24813. The vulnerability is due to a path validation error in the DefaultServlet, which could allow an attacker to access restricted resources or execute arbitrary code without authentication. By sending an HTTP request with a specially crafted path, an attacker can bypass authentication and execute actions that normally can only be performed by authenticated users. This could lead to remote code execution (RCE) attempts, especially to take full control of the system or execute malicious files, making it urgent for organizations and institutions using Apache Tomcat to apply the latest security patches. Our AIWAF products are continuously monitoring and detecting vulnerabilities in real-time in widely used open source-based web servers such as Apache Tomcat, and responding to these vulnerabilities with proactive defenses based on analysis of detection signatures and evasion patterns. We will continue to analyze and update our vulnerabilities for similar path bypass and authentication bypass vulnerabilities in the future. E. References https://www.cyfirma.com/research/cve-2025-24813-apache-tomcat-rce-vulnerability-analysis/ https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/ https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis https://nvd.nist.gov/vuln/detail/CVE-2025-24813 Read more about [2025.05] Web Attack Trend Report[…]

[2025.06 Vulnerability Report] Reflected Cross-Site Scripting in MailEnable (CVE-2025-44148)

Posted on 2025-06-202025-07-02 by marketing

2025.06 – Reflected Cross-Site Scripting in MailEnable (CVE-2025-44148) The CVE-2025-44148 vulnerability in MailEnable is a reflected cross-site scripting (XSS) vulnerability that occurs in the failure.aspx page of versions prior to v10. An attacker can execute the script in the user’s session by inserting JavaScript code through a malicious URL. This can lead to risks such as session hijacking, malicious script execution, and phishing attacks. In our AIWAF product, we are developing patterns to respond to vulnerabilities occurring in MailEnable, and we will respond quickly to vulnerabilities that are discovered in the future. 1. Overview MailEnable is mail server software used on Windows servers. It provides email sending and receiving capabilities, and supports POP3, SMTP, and IMAP protocols. It also allows email to be used in a browser through its webmail feature. In addition, it is responsible for providing spam protection, antivirus features, groupware features, and more. This report summarizes our recent analysis of Cross Site Scripting within MailEnable. Source : https://www.facebook.com/photo/?fbid=451757020309959&set=a.451756946976633 2. Attack type CVE-2025-44148 is a Cross-Site Scripting (XSS) vulnerability in the failure.aspx page of the MailEnable product. This vulnerability was found in MailEnable v10 and earlier, and could allow an attacker to inject a malicious script via a specially crafted URL, which could result in the script being executed in the user’s browser. For example, by sending a request to failure.aspx with a payload such as <script>alert(1)</script> in the msg parameter, an attacker could perform a variety of attacks, including hijacking a user’s session, executing malicious code, or phishing. The vulnerability is externally accessible without authentication and can affect web interfaces or cloud-based SaaS systems that use MailEnable. The risk is increased when client-side security policies (CSPs) are not in place, especially when API integrations or admin portals mirror user input. Example attack Request : GET /Mail/failure.aspx?msg=<script>alert(‘XSS’)</script> HTTP/1.1 Host: victim-domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close 3. Mitigation A separate patch for the CVE-2025-44148 vulnerability in MailEnable has not yet been released. The current patch recommendation is to upgrade to MailEnable v10 or later, which should be patched after version checking. In our AIWAF product, we are responding via the 114: Cross Site Scripting(14) pattern. 4. Conclusion The CVE-2025-44148 vulnerability in MailEnable is a reflexive cross-site scripting (XSS) vulnerability that occurs in the failure.aspx page in v10 and earlier versions of MailEnable. An attacker can inject JavaScript code via a malicious URL and execute that script in the user’s session. This can lead to session hijacking, malicious script execution, phishing attacks, and other risks. Our AIWAF product has developed patterns to respond to vulnerabilities within MailEnable, and we will continue to respond quickly to vulnerabilities as they are discovered. 5. References https://github.com/barisbaydur/CVE-2025-44148 https://nvd.nist.gov/vuln/detail/CVE-2025-44148

[2025.06 Vulnerability Report] Kentico Xperience CMS Authentication Bypass

Posted on 2025-06-202025-07-02 by marketing

2025.06 – Kentico Xperience CMS Authentication Bypass The vulnerability is an authentication bypass vulnerability in the Kentico Xperience CMS platform, which could allow an attacker to attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx. The vulnerability was patched in Kentico Xperience CMS platform version 13.0.178, and AIWAF responded by adding patterns to detect these vulnerabilities in a May 2025 pattern update. 1. Overview Xperience CMS is a digital marketing platform provided by Kentico, which is an integrated system platform that includes content management services, digital marketing, e-commerce management, and more. This report summarizes our analysis of CVE-2025-2746 and CVE-2025-2747, the authentication bypass and RCE vulnerabilities recently discovered in the platform. Source : https://en.wikipedia.org/wiki/Kentico_Xperience 2. Attack type CVE-2025-2746 is an authentication bypass vulnerability that leverages a vulnerable authentication system in certain endpoints of Kentico’s Xperience CMS platform. According to watchtowr, who analyzed the vulnerability, an attacker can attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx, by exploiting the return of the password hash value as an empty string when an invalid username is entered during the authentication process. protected override string AuthenticateToken(UsernameToken token) { if (token == null) { throw new ArgumentNullException(“[WebServiceAuthorization.AuthenticateToken]: Missing username authentication token.”); } AbstractStockHelper<RequestStockHelper>.Add(“AUTH_PROCESSED”, true, false); string value = SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServiceUsername”); string text = EncryptionHelper.DecryptData(SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServicePassword”)); if (string.IsNullOrEmpty(text)) { throw new SecurityException(“[WebServiceAuthorization.AuthenticateToken]: Staging does not work with blank password. Set a password on the target server.”); } if (value == token.Username) { return StagingTaskRunner.GetSHA1Hash(text); } return “”; } Source : https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/ An attacker can bypass the authentication process by selecting the hash-based password verification mode, sending a SOAP request with a SHA1 hash code in the form of an empty string password, and, in conjunction with the vulnerability, leverage the internal API after authentication to attempt an RCE attack. Example attack Request : POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1 Host: www.test.com Content-Type: text/xml; charset=utf-8 Content-Length: 1095 SOAPAction: “<http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData>” <soap:Envelope xmlns:xsi=”<http://www.w3.org/2001/XMLSchema-instance>” xmlns:xsd=”<http://www.w3.org/2001/XMLSchema>” xmlns:soap=”<http://schemas.xmlsoap.org/soap/envelope/>”> <soap:Header> <wsse:Security xmlns:wsse=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>” xmlns:wsu=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>”> <wsse:UsernameToken> <wsse:Username>hacker</wsse:Username> <wsse:Password Type=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest>”>OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password> <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce> <wsu:Created>2025-05-013T014:54:17Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <ProcessSynchronizationTaskData xmlns=”<http://localhost/SyncWebService/SyncServer>”> <stagingTaskData><![CDATA[<hacker>]]></stagingTaskData> Read more about [2025.06 Vulnerability Report] Kentico Xperience CMS Authentication Bypass[…]

Compliment Relay May 2025 by MinWoo Oh

Posted on 2025-06-042025-07-07 by marketing

Hello from MONITORAPP. It’s June, the warm spring breezes have passed, and we’re already feeling the first hints of summer. Time flies, doesn’t it? In May, we still had a wonderful person in our organization who shared positive energy. Our May Praise Relay honoree is Minwoo Oh, a principal researcher at the company! Hyeokjun Oh, who was selected for the April Compliment Relay, nominated Minwoo Oh as the May Complimenter, saying, “I am impressed by his sense of responsibility for his work, as well as his proactive attitude and positive atmosphere.” I think it’s great to be a role model for your coworkers. Let’s take a look at the story of Mr. Minwoo Oh, the main character of the May Compliment Relay. Q1. How long have you been with MONITORAPP and what are your responsibilities? I have been working at MONITORAPP for 3 years and 6 months, and I am in charge of technical support for our partners. I am mainly responsible for supporting the deployment of our products and responding to failures that occur during operation. Q2. You have been working at MONITORAPP for three and a half years, please introduce the culture and atmosphere of MONITORAPP that you have experienced so far. MONITORAPP has a well-established culture of caring and respect for each other. I think it’s a great advantage that there is an atmosphere where people can freely share their opinions regardless of their position or seniority, allowing for horizontal communication. Q3. What has been the best (or worst) part of your job? My lack of product knowledge was a challenge in the beginning, but thanks to ongoing internal training and the support of my coworkers, I was able to adapt quickly. Q4. How does it feel to be selected as a PraiseRelay runner? I am sincerely grateful for being selected even though I still have many shortcomings. I will take more responsibility in the future and try to show my progress. Q5. What factors do you think contributed to your selection as a PraiseRelay Runner-up? I think it was our attitude that we tried to be flexible to the client’s rather tight schedule request and supported them to the best of our ability. Q6. What do you most want to accomplish at MONITORAPP in the remaining year of 2025? We feel that we still have a lot to learn about the various product lines we currently cover. My biggest goal for the remainder of this year is to deepen our understanding of each product and strengthen our technical capabilities. Q7. How would you like to see MONITORAPP grow in about 5 years and what are your hopes for MONITORAPP? Based on our world-class proxy technology, we hope to grow into a leading company that is recognized in the global market. Q8. Why do you recommend joining MONITORAPP? 2 keywords I would say that one of MONITORAPP’s core values, “unadorned communication” and “passionate camaraderie” are the main keywords to recommend joining MONITORAPP. Q9. Anything else you’d like to share? We’re halfway through 2025. I wish you all the best in your respective positions for the rest of the year. Thank you.

Solutions			Company	Support
WAAP	SWG	ZTNA	Who we are	Contact us
CDN	CASB		What we do	FAQ
DDoS	FWaaS		Career
WSPC	NGDPI
	ATP
	RBI