Botnet exploitation of NXRM up to 3.14.0

Affected Versions: Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.14.0

Fixed in Version: Nexus Repository Manager OSS/Pro version 3.15.0

Sonatype has become aware of botnet exploitation of a previously announced security vulnerability, and recommends immediate upgrade of affected NXRM 3.x instances. (NXRM 2.x instances are not affected.)

Sonatype has expanded the range of affected versions to include older versions of NXRM prior to 3.6.2.

Information about the vulnerability was previously published in the Sonatype security knowledge base at:

Instances of Repository Manager that are publicly accessible on the internet are at extreme risk of exploitation. Non-publicly accessible instances are at lower risk, but still pose a risk of insider threat.

We recommend immediate upgrade of vulnerable versions of Nexus Repository Manager to the latest version, currently 3.16.2.