I was pretty divided into publishing this, mostly because I know the people over at Patreon are really doing a great job around security in general and I didn't want to bring more gasoline to the fire. (Is that a working proverb?)<p>However, due to the fact that there has been posts around publicly available Werkzeug Debuggers before and also the fact that there are so many still out there, I still decided do to it.<p>Also worth noting that Shodan.io even crawled this host when the instance actually launched the Debugger directly upon visiting it. This made it extremely easy for an attacker to actually exploit this vulnerable endpoint only by visiting the domain.
Visit domain -> Werkzeug Debugger -> "[console ready]" -> RCE.
> Unfortunately there are thousands of publicly available instances of Werkzeug out there and each and every one of them should take proper mitigation actions as if they have already been exploited.<p>This should probably say "publicly available instances of the Werkzeug debugger". Werkzeug without the debugger is perfectly safe AFAIK.