Patch Alert: Critical Apache Struts Vulnerability Exposes Systems to Remote Code Execution

A recently discovered critical vulnerability in Apache Struts, tracked as CVE-2024-53677, is being actively targeted by threat actors and could lead to remote code execution (RCE). With a CVSS score of 9.5, the flaw poses a significant security risk to affected systems.

The vulnerability, similar to one addressed in December 2023 (CVE-2023-50164), allows attackers to manipulate file upload parameters, enabling path traversal. In certain cases, this can result in malicious file uploads that may be used to execute arbitrary commands, exfiltrate data, or download additional payloads for further exploitation.

Apache Struts is a popular framework used in many enterprise applications, and the flaw impacts the following versions:

• Struts 2.0.0 - Struts 2.3.37 (End-of-Life)

• Struts 2.5.0 - Struts 2.5.33

• Struts 6.0.0 - Struts 6.3.0.2

The issue has been patched in Struts 6.4.0 and later versions. Dr. Johannes Ullrich from SANS Technology Institute noted that the incomplete patch for CVE-2023-50164 may have contributed to the emergence of this new vulnerability. Exploit attempts matching a publicly released proof-of-concept (PoC) have been detected in the wild, with scans originating from IP address 169.150.226[.]162.

To mitigate the risk, users are advised to upgrade to the latest version of Apache Struts and implement the new Action File Upload mechanism with related interceptors.

According to attack surface management firm Censys, over 13,500 web applications are currently running Apache Struts, with 69% of these located in the United States. Although not all instances are vulnerable, the widespread use of Apache Struts in critical business applications underscores the potential for significant impact if exploited.

For full protection, it is essential to apply the update immediately and review any relevant security measures.