A new attack takes place via a Web server running in a DMZ. DMZs often are improperly built, allowing any machine on the network to connect out to the world. This configuration makes patch management and software downloading easy, but it also opens up those devices to attack. Simple egress filtering at the firewall — or insuring software you use to download images does not allow connections to internal address spaces — could fix this issue. The real question is: How many people will take the initiative and fix these vulnerabilities before the bad guys find them?”]
Source: https://www.darkreading.com/attacks-breaches/when-web-servers-attack