We know for certain our instance was compromised by this vulnerability. We patched it immediately as we found out from our cloud provider warning us of large amount of bytes being sent out. We have also deleted the admin accounts the attacker has created. We also know it is this exiftool attack based on looking at our logs. After our patch the bots continued uploading jpg files and we can see the exiftool now rejecting it in the logs. So its fairly certain this is the same attacker as described in this vulnerability.
Since this vulnerability allowed the attacker to create admin level users and API access, has anyone else seen any other behavior beyond the DDOS? We are currently reading through the images uploaded and checking what was the RCE they ran but wanted to post this in case anyone else has found any other side effects.
Thank you