Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Apache Struts Flaw Reportedly Exploited in Equifax Hack

A vulnerability affecting the Apache Struts 2 open-source development framework was reportedly used to breach U.S. credit reporting agency Equifax and gain access to customer data.

A vulnerability affecting the Apache Struts 2 open-source development framework was reportedly used to breach U.S. credit reporting agency Equifax and gain access to customer data.

Equifax revealed last week that hackers had access to its systems between mid-May and late July. The incident affects roughly 143 million U.S. consumers, along with some individuals in the U.K. and Canada.

The compromised information includes names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers. The credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people may have also been stolen by the attackers.

Equifax only said that “criminals exploited a U.S. website application vulnerability to gain access to certain files.” However, financial services firm Baird claimed the targeted software was Apache Struts, a framework used by many top organizations to create web applications.

“Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw,” Baird said in a report.

Some jumped to conclude that it was the recently patched and disclosed CVE-2017-9805, a remote code execution vulnerability that exists when the REST plugin is used with the XStream handler for XML payloads. This flaw was reported to Apache Struts developers in mid-July and it was addressed on September 5 with the release of Struts 2.5.13.

The security hole is now being exploited in the wild, but there had been no evidence of exploitation before the patch was released.

In a statement issued over the weekend, the Apache Struts Project Management Committee (PMC) said it was not clear which, if any, Struts vulnerability was exploited in the Equifax breach. However, the organization did point out that it was either an earlier vulnerability or a zero-day exploit for CVE-2017-9805.

If Apache Struts was in fact targeted in the Equifax attack, a more likely explanation is that the cybercriminals leveraged CVE-2017-5638, a vulnerability exploited in the wild since March. Attacks started just a few days after the release of a patch, and the flaw has been used in several campaigns.

“For either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax,” explained Jeff Williams, co-founder and CTO at Contrast Security. “In one case, an OGNL expression. In the other, a serialized object. The Equifax Struts application would receive this request, and get tricked into executing operating system commands. The attacker can use these to take over the entire box – do anything the application can do. So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”

New York Attorney General Eric T. Schneiderman has announced the launch of a formal investigation into the Equifax breach. Attorney General Schneiderman has sent a letter to the company requesting additional information about the incident.

Related: Industry Reactions to Equifax Hack

Related: Massive Credit Bureau Hack Raises Troubling Questions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...