Cyclos < 4.14.15 – Remote code execution

CyStack image

Hà Minh Châu

|June 24, 2022
CyStack Advisory IDCSA-2021-01
CVE IDsCVE-2021-44832
CVSS v3 Base10.0


Cyclos is a payment software created for banks, barters, remittances, and innovative currency systems. Cyclos is used by more than 1500 payment systems worldwide. CyStack recently found that Cyclos versions prior to 4.14.15 are vulnerable to the remote code execution vulnerability. The root cause of this flaw is that Cyclos used vulnerable library log4j (which is known as Log4Shell vulnerability) as a logging module.

This Cyclos vulnerability was used to attack a CyStack customer, exposing more than 2 million of their users’ personal information.


In this analysis, CyStack used the Cyclos docker image version 4.14.9 downloaded from their Docker hub and its source code provided by STRO (the Cyclos development team).

Static analysis

Finding the applying of log4j in the codebase

The library log4j 2.14.1, which is vulnerable according to CVE-2021-44228, was found in Cyclos 4.14.9. The following figure shows proof of the availability of the log4j library in the folder lib of the Cyclos 4.14.9 project:

There were shreds of evidence that log4j functions are stated in cyclos4-web-4.14.9.jar and cyclos4-api-core-4.14.9.jar. These functions are marked in red boxes in the two figures below:

Finding the vulnerable entry points where the malicious JNDI injection payloads can be loaded

By tracking across multiple files in the Cyclos 4.14.9 project, the entry point was found in the function loadTranslations of the class TranslationMessagesController. It is the parameter submodule for the path /content/loadTranslations.

Steps to reproduce

For exploitation, CyStack used the tool Rogue JNDI, provided by Michael Stepankin. This tool provides LDAP and HTTP servers for exploiting insecure-by-default Java JNDI API. This vulnerability would be proved by an attempt on writing an arbitrary file to the directory /tmp of Cyclos server. The following figure illustrates the initial state of this directory:

We started our attack server that would write a file named pwned with the content pwned into the directory /tmp of victim server.

We sent a malicious request to a Cyclos server, locally deployed, with Burp Suite. The payload must follow this syntax:


groovy is the supported payload from Rogue JNDI, which leads to RCE via unsafe reflection in org.apache.naming.factory.BeanFactory and groovy.lang.GroovyShell.

The first attempt on JNDI injection to Cyclos server was successful, proved by the sending signal on our attack server. This signal only appears when the Cyclos server starts JNDI lookups for the requested resource.

After a few seconds, we made a check on the directory /tmp in our local Cyclos server. A file named pwned was written in this folder.

CyStack looked for the logging files on the Cyclos server, and here’s the result:

It was a match with the produced exploitation.


This issue can be mitigated by following one of these options:

  • Upgrade Cyclos to version 4.14.15 or the latest version.
  • Set a Java system property (for example, in Tomcat’s JAVA_OPTS): -Dlog4j2.formatMsgNoLookups=true
  • Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Related posts

Stored XSS leads to account takeover in Flarum
Stored XSS leads to account takeover in Flarum
November 19 2022|Advisories

CyStack Advisory ID CSA-2022-01 CVE IDs CVE-2022-41938 Severity Critical CVSS v3 Base 9.0 Synopsis CyStack’s researchers recently discovered a Stored XSS vulnerability in the Flarum platform version 1.5.0 to 1.6.1 which can lead to an account takeover attack. Flarum is a widely used simple and open-source forum platform. At the time of this post, we […]

macOS Rootkit Emulation
macOS Rootkit Emulation
June 24 2022|Advisories

Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking; indeed, most […]

Cesanta Mongoose 6.16 &#8211; Integer overflow
Cesanta Mongoose 6.16 – Integer overflow
April 5 2023|Advisories

CyStack Advisory ID CSA-2019-04 CVE IDs CVE-2019-19307 Severity Critical CVSS v3 Base 9.8 Synopsis CyStack Security discovered an integer overflow vulnerability in the implementation of MQTT protocol in the Cesanta Mongoose Library version 6.16. By exploiting the vulnerability, a remote, unauthenticated attacker can perform a DoS attack to broker server with an infinite loop or […]