A critical security flaw in Apache Struts is being actively exploited by threat actors, potentially enabling remote code execution (RCE).
Key Details of the Vulnerability
The flaw, identified as CVE-2024-53677, has been assigned a CVSS score of 9.5, highlighting its critical severity. It shares similarities with another significant vulnerability, CVE-2023-50164 (CVSS score: 9.8), which faced active exploitation shortly after its disclosure in December 2023.
According to the Apache advisory, attackers can manipulate file upload parameters to perform path traversal, which, in specific circumstances, allows them to upload malicious files. These files can then be weaponized for:
- Executing arbitrary commands,
- Exfiltrating sensitive data, or
- Downloading additional payloads to extend the attack.
Affected Versions and Patch Details
The vulnerability affects the following Apache Struts versions:
- Struts 2.0.0 to Struts 2.3.37 (End-of-Life)
- Struts 2.5.0 to Struts 2.5.33
- Struts 6.0.0 to Struts 6.3.0.2
A fix has been released in Struts 6.4.0 or later.
Exploitation Attempts in the Wild
Dr. Johannes Ullrich, dean of research at the SANS Technology Institute, suggested that this flaw might stem from an incomplete patch for CVE-2023-50164. Exploitation attempts matching a publicly available proof-of-concept (PoC) have already been observed.
"Current exploit attempts are focused on enumerating vulnerable systems," Ullrich noted. "Once identified, attackers attempt to locate the uploaded malicious script. So far, these scans are originating from 169.150.226[.]162."
Risk Mitigation Recommendations
Users are urged to upgrade to Struts 6.4.0 or higher immediately and rewrite their code to adopt the new Action File Upload mechanism and related interceptor.
Why This Matters
Apache Struts is widely used in enterprise IT environments, powering public-facing portals, internal productivity tools, and critical business workflows.
"A vulnerability like CVE-2024-53677 could have far-reaching consequences due to the framework's role in high-stakes applications," said Saeed Abbasi, product manager at Qualys.
Timely action is crucial to protect systems from malware infections, data breaches, and other potential threats arising from this flaw.
Take action now—upgrade your systems and secure your applications.