Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Recent Critical Apache Struts 2 Flaw Begins

Researchers warn of malicious attacks exploiting a recently patched critical vulnerability in Apache Struts 2 leading to remote code execution (RCE).

Apache vulnerability

Threat actors have started exploiting a critical-severity vulnerability in Apache Struts 2 less than a month after it was publicly disclosed.

The issue, tracked as CVE-2024-53677 (CVSS score of 9.5), is described as a file upload logic flaw that could enable an attacker to perform a path traversal attack.

“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution,” Apache notes in its advisory.

Essentially, attackers could exploit the vulnerability to place malicious files in restricted directories, which could allow them to steal data, execute arbitrary code, and potentially fully compromise systems.

“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows. Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications,” cloud security firm Qualys notes.

The bug impacts Struts versions 2.0.0 through 2.3.37 and 2.5.0 through 2.5.33, which have been discontinued, and version 6.0.0 through 6.3.0.2.

Advertisement. Scroll to continue reading.

Struts version 6.4.0 resolves the security defect by deprecating the vulnerable file upload mechanism FileUploadInterceptor. In addition to updating Struts, users should migrate to the new mechanism, ActionFileUploadInterceptor, which is not affected, Apache says.

However, the company warns that the change is not backward compatible and that users will have to rewrite their actions to start using the new mechanism.

“Keep using the old File Upload mechanism keeps you vulnerable to this attack,” Apache notes, explaining that no workaround is available.

CVE-2024-53677, Apache says, is like CVE-2023-50164 (CVSS score of 9.8), which started being targeted in attacks only days after being publicly disclosed in December last year.

Proof-of-concept (PoC) code targeting the newly resolved bug was published last week, and the first exploitation attempts started shortly after, Johannes Ullrich of the SANS Internet Storm Center warns.

“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich says.

Related: Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform

Related: LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover

Related: Many Apache Struts Security Advisories Updated Following Review

Related: Vulnerabilities in Zephyr’s Bluetooth LE Stack May Lead to DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.