Skip to main content
close search
site logo

Researchers warn of active exploitation of critical Apache Struts 2 flaw

Exploitation activity was observed about a week after the CVE was disclosed.

Published Dec. 20, 2024
David Jones's headshot
Reporter
A closeup shot of long colorful lines of code on a computer screen.
Wirestock via Getty Images

Attackers are actively exploiting a critical vulnerability in Apache Struts 2 just days after it was originally disclosed and patched, researchers warn.  

The vulnerability, listed as CVE-2024-53677, involves a flaw in file upload logic, according to a bulletin from Apache. The vulnerability has a CVSS score of 9.5 out of 10, indicating the risk is considered critical. 

An attacker can manipulate file upload parameters to enable path traversal. Apache urged users to upgrade to Struts 6.4.0 or greater and use the Action File Upload Interceptor. Security researchers warn the vulnerability can allow an attacker to conduct malicious actions.

“Due to a vulnerability in the Struts 2 upload feature, attackers can upload files to restricted areas on the server, which can then be exploited to execute code,” Johannes Ullrich, dean of research at the SANS Technology Institute, said via email.

In a typical attack scenario, hackers upload a web shell, which provides them a simple interface to execute commands on the server and initiate further compromise, according to Ullrich. 

Data from Maven Central shows that vulnerable components have been downloaded almost 40,000 times since the fix was originally published on Dec. 11, Sonatype said in a Friday blog post

Vulnerable component versions make up about 90% of the Struts 2 downloads over the past week, according to Sonatype. This indicates the stakes are very high and time is running short, according to Sonatype officials. 

Researchers warn the vulnerability builds upon issues connected to a prior vulnerability, listed as CVE-2023-50164. The connection has caused some researchers to have concerns about an incomplete patch being at issue. 

Brian Fox, co-founder and CTO at Sonatype, said an upgrade won’t completely address the vulnerability, and potential code changes required to leverage a different file upload interceptor make the mitigation steps far more complex. 

“This will dramatically increase the level of effort required to remediate, which will significantly expand the length of exposure,” Fox said Wednesday in a LinkedIn post

Stephen Fewer, principal security researcher at Rapid7, questioned the veracity and extent of active exploitation, adding concerns stem from observations about a public proof of concept exploit being used against a honeypot system. 

“It is unclear if successful exploitation is occurring against any viable target systems,” Fewer said Friday via email. 

The public proof of concept exploit would likely need to be modified for successful exploitation of any targeted web application, Fewer said

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.