With the malicious code embedded into websites, the attacker can then piggyback on the trust level of the website and launch a variety of attacks.

While probes looking for vulnerable Apache Struts 2 deployments continue, malicious traffic has tapered off, researchers at Rapid7 said.

Apache administrators are urged to immediately upgrade the Struts 2 web application framework to address a remote code execution flaw under public attack.