Aiohttp is a widely used open-source library for handling concurrent HTTP requests in Python applications. The ransomware group ShadowSyndicate, has been scanning for servers vulnerable to CVE-2024-23334. The flaw means that improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. It affects all aiohttp versions prior to 3.9.2, which was released on January 28, 2024, to address this flaw. The vulnerability came to wider attention when a proof of concept (PoC) exploit was released online in late February 2024, followed by detailed exploitation instructions on YouTube.
Researchers reported that exploitation attempts began to be detected on February 29, 2024, and have increased since then. These attempts were linked to five IP addresses, one of which has previously been associated with ShadowSyndicate. This group is known for its financial motivations and links to several ransomware strains. Although it's not confirmed that these scanning attempts have led to breaches, the activity suggests an interest from threat actors in exploiting this vulnerability.