Users of the Apache Struts framework for Java are being urged to immediately upgrade to the current version. That version is Struts 2.13.15.1 , which was released in July.

Chinese hackers are using the older versions to hack them with automated tools to exploit the flaws.

With a few simple clicks, attackers can determine the name of the current user account, display the version number of the OS, view network and system configuration information, list the contents of directories, and – particularly worryingly – add new user accounts.

The attack works on servers running either Windows or Linux, although the actual commands that can be executed will differ depending on the OS.