Eclipse Jetty - Information Disclosure (CVE-2021-28169)

CVE-2021-28169 is a vulnerability in Eclipse Jetty that allows remote attackers to access protected resources within the WEB-INF directory by exploiting doubly encoded paths in requests to the ConcatServlet. This flaw can expose sensitive files such as web.xml, potentially revealing critical information about the web application's internal configuration and implementation.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2021-28169 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2021-28169 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2021-28169 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending requests to endpoints such as /static or /concat with doubly encoded paths like /%2557EB-INF/web.xml to access sensitive files within the WEB-INF directory.