Linux is a unique operating system because of its stability, flexibility, and open-source nature. At the same time, Linux dominates the cloud, running on 90% of public cloud workloads in 2017. Trend Micro analyzed the top threats and vulnerabilities affecting the Linux operating system in the first half of 2021 under Linux Threat Report 2021 1H. This analysis was based on data amassed from honeypots, sensors, and anonymized telemetry.
Coin miners are at the top with 54%
After analyzing over 13 million malware events aimed at Linux-based cloud environments, Trend Micro found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.

One hundred thousand unique Linux hosts during the same period reported over 50 million events. The researchers discovered 15 different vulnerabilities that are known to be actively exploited in the wild or have a proof of concept (POC):
- CVE-2017-5638 (CVSS score: 10.0) – Apache Struts 2 remote code execution (RCE) vulnerability
- CVE-2017-9805 (CVSS score: 8.1) – Apache Struts 2 REST plugin XStream RCE vulnerability
- CVE-2018-7600 (CVSS score: 9.8) – Drupal Core RCE vulnerability
- CVE-2020-14750 (CVSS score: 9.8) – Oracle WebLogic Server RCE vulnerability
- CVE-2020-25213 (CVSS score: 10.0) – WordPress File Manager (wp-file-manager) plugin RCE vulnerability
- CVE-2020-17496 (CVSS score: 9.8) – vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability
- CVE-2020-11651 (CVSS score: 9.8) – SaltStack Salt authorization weakness vulnerability
- CVE-2017-12611 (CVSS score: 9.8) – Apache Struts OGNL expression RCE vulnerability
- CVE-2017-7657 (CVSS score: 9.8) – Eclipse Jetty chunk length parsing integer overflow vulnerability
- CVE-2021-29441 (CVSS score: 9.8) – Alibaba Narcos AuthFilter authentication bypass vulnerability
- CVE-2020-14179 (CVSS score: 5.3) – Atlassian Jira information disclosure vulnerability
- CVE-2013-4547 (CVSS score: 8.0) – Nginx crafted URI string handling access restriction bypass vulnerability
- CVE-2019-0230 (CVSS score: 9.8) – Apache Struts 2 RCE vulnerability
- CVE-2018-11776 (CVSS score: 8.1) – Apache Struts OGNL expression RCE vulnerability
- CVE-2020-7961 (CVSS score: 9.8) – Liferay Portal untrusted deserialization vulnerability
More than 100,000 unique Linux hosts reported the events. The top 20 Linux and Unix flavors that reported events into this dataset by volume.
