Eclipse BIRT - RCE (CVE-2021-34427)

CVE-2021-34427 is a critical vulnerability in Eclipse BIRT versions 4.8.0 and earlier that allows remote attackers to inject malicious JSP code by manipulating query parameters. Exploiting this flaw could enable attackers to execute arbitrary code on the server, potentially leading to full system compromise and unauthorized access to sensitive data.

CrowdSec has been tracking this vulnerability and its exploits since 10th of December 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-34427 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2021-34427. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit this vulnerability by sending crafted requests to the /document endpoint with malicious query parameters, resulting in the creation and execution of attacker-controlled JSP files within the application directory. Subsequent requests to the uploaded .jsp files are used to execute arbitrary code on the server.