Exploitation of Public-Facing Web Application Leading to Web Shell Deployment

On 9 April 2026 attackers exploited a vulnerable file upload on a public customer portal to install a JSP web shell (/uploads/support/logo_help.jsp). The adversary executed system commands via HTTP POST, created a database export archive (/tmp/client_backup_20260409.tar.gz), and initiated outbound connections to 198.51.100.24:8080 (user agent curl/8.5.0), indicating collection and likely exfiltration of data.