Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.
The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS score: 9.8), which also came under active exploitation shortly after public disclosure.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution,” according to the Apache advisory.
In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation.
The vulnerability impacts the following versions, and has been patched in Struts 6.4.0 or greater –
- Struts 2.0.0 – Struts 2.3.37 (End-of-Life),
- Struts 2.5.0 – Struts 2.5.33, and
- Struts 6.0.0 – Struts 6.3.0.2
Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said that an incomplete patch for CVE-2023-50164 may have led to the new problem, adding exploitation attempts matching the publicly-released proof-of-concept (PoC) have been detected in the wild.
“At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich noted. “Next, the attacker attempts to find the uploaded script. So far, the scans originate only from 169.150.226[.]162.”
To mitigate the risk, users are recommended to upgrade to the latest version as soon as possible and rewrite their code to use the new Action File Upload mechanism and related interceptor.
“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows,” Saeed Abbasi, product manager of Threat Research Unit at Qualys, said. “Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications.”
