More than 3,000 organizations could be at risk of suffering an attack against the same vulnerability that allowed hackers to gain access to the records of more than 143 million Americans from credit reporting firm Equifax.

The troublesome figure comes from supply chain automation firm Sonatype, which found a total of 3,054 organizations still using a vulnerable version of Apache Struts, a popular web application framework.

Sonatype analyzed data available through the Maven Central repository, the largest distribution point for Java open-source components (of which Apache Struts is one) and found a surprising amount of organizations continuing to use an application with an exploit that has been used in breaches in the past—even prior to the Equifax incident.

The vulnerability in question is CVE-2017-5638, which was first discovered in March of this year and was considered a zero-day—an exploit that could be attacked because the software maker was unaware of it or had yet to address it with a patch or fix.

By March 6, a patch for the vulnerability was made available and could be applied by anyone using Apache Struts—though it’s worth noting the update process was considered difficult and somewhat labor-intensive, which may have led to slower adoption rates.

Once the vulnerability was made public, attackers started targeting organizations that failed to quickly patch the exploit. Researchers at Cisco Systems deemed the vulnerability to be critical and noted a “high number of exploitation events” making use of the bug.

In one instance, a malicious group used the Apache Struts exploit to install Cerber ransomware on a number of locally networked machines. That endeavor ended up netting the hacking group more than $100,000 in Bitcoin.

While those attacks happened in the immediate aftermath of the disclosure of the vulnerability, Equifax was hit two months after the patch was made available. The hack that resulted in personal information, credit cards, and Social Security numbers of hundreds of thousands if not millions of U.S. consumers occurred in May and wasn’t discovered until July 29.

Unfortunately, even with the revelation about the Equifax breach, many companies are still falling well short on their hygiene when it comes to the Apache Struts framework.

According to Sonatype, in addition to the more than 3,000 organizations to download the version of Apache Struts that was disclosed as vulnerable in March over the last 12 months—another 1,731 organizations downloaded versions of the framework that were disclosed as vulnerable as early as July 2013.

In total, 46,557 organizations have downloaded a version of Apache Struts or one of its sub-projects that has a known vulnerability despite safe and stable version of the framework being made available.

“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open source components are simply not paying attention,” Wayne Jackson, CEO of Sonatype, said in a statement.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

“The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.”