Nearly five months after the maintainers of the Ruby on Rails delivered updates to fix severe holes in the web application framework, in-the-wild exploits have emerged, according to a researcher.

The two patches closed off “extremely critical” parameter parsing flaws present in all versions of Ruby on Rails which could allows attackers to bypass authentication and execute arbitrary code in Rails apps.

It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” Jeff Jarmoc, a security consultant, wrote on his personal blog. “It also appears to be affecting some web hosts.”

The exploits are being launched for IP addresses that trace to Germany, Russia and Ukraine.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc wrote.

[This story was updated to clarify that Jarmoc’s blog is personal and not affiliated with his employer.]