It's a Java web application that uses vulnerable third-party component (Apache.CXF) without public exploit so we need to reverse engineer the patch or correctly understand the CVE description.
From the vulnerable third-party component, it's possible to download local file such as the WAR file.
We need to analyze the decompiled Java classes and defeat the obfuscation to identify a hidden backdoor.
Original writeup (https://gist.github.com/farisv/d30df98263d6dea7bad4eedd497a2408).
