Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Recent Critical Apache Struts 2 Flaw Begins

Researchers warn of malicious attacks exploiting a recently patched critical vulnerability in Apache Struts 2 leading to remote code execution (RCE).

Apache Struts exploited

Threat actors have started exploiting a critical-severity vulnerability in Apache Struts 2 less than a month after it was publicly disclosed.

The issue, tracked as CVE-2024-53677 (CVSS score of 9.5), is described as a file upload logic flaw that could enable an attacker to perform a path traversal attack.

“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution,” Apache notes in its advisory.

Essentially, attackers could exploit the vulnerability to place malicious files in restricted directories, which could allow them to steal data, execute arbitrary code, and potentially fully compromise systems.

“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows. Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications,” cloud security firm Qualys notes.

The bug impacts Struts versions 2.0.0 through 2.3.37 and 2.5.0 through 2.5.33, which have been discontinued, and version 6.0.0 through 6.3.0.2.

Struts version 6.4.0 resolves the security defect by deprecating the vulnerable file upload mechanism FileUploadInterceptor. In addition to updating Struts, users should migrate to the new mechanism, ActionFileUploadInterceptor, which is not affected, Apache says.

However, the company warns that the change is not backward compatible and that users will have to rewrite their actions to start using the new mechanism.

Advertisement. Scroll to continue reading.

“Keep using the old File Upload mechanism keeps you vulnerable to this attack,” Apache notes, explaining that no workaround is available.

CVE-2024-53677, Apache says, is like CVE-2023-50164 (CVSS score of 9.8), which started being targeted in attacks only days after being publicly disclosed in December last year.

Proof-of-concept (PoC) code targeting the newly resolved bug was published last week, and the first exploitation attempts started shortly after, Johannes Ullrich of the SANS Internet Storm Center warns.

“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich says.

Related: Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform

Related: LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover

Related: Many Apache Struts Security Advisories Updated Following Review

Related: Vulnerabilities in Zephyr’s Bluetooth LE Stack May Lead to DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.