Late last week a security advisory came out that allows for executing malicious code. Atlassian, which uses similar technology, also issued announcements around the same time. My wild speculation is this was the attack vector.
Sadly, I feel some responsibility for this pretty major security hole. There have been a few like this and they are all rooted in the fact that almost 9 years ago I made the (bad) decision to use OGNL as WebWork's expression language. I did so because it was "powerful" but it opened up all sorts of extra binding trickery I never intended. I haven't been contributing to the project in 5+ years, but this is a good reminder how technology choices tend to stick around a lot longer than you ever imagine :)
It amazes me how true this is. I've learned that assertions such as "this is a mockup and should be replaced ASAP for reasons X Y Z" tend to get ignored by inheritors of proofs-of-concepts for as long as (or longer than) possible. My coworkers wonder why now I fight tooth-and-nail to (from their perspective) over-engineer things from the start; I know that short-sighted decisions will never be revisited until it's too late.
When you see an old lady walking alone in the dark, do you steal her purse because she did not protect herself well enough? I'm sure you don't... So please, don't over complicate things.