Vulnerabilities

Exploitation of Recent Critical Apache Struts 2 Flaw Begins

Researchers warn of malicious attacks exploiting a recently patched critical vulnerability in Apache Struts 2 leading to remote code execution (RCE).

Apache vulnerability

Threat actors have started exploiting a critical-severity vulnerability in Apache Struts 2 less than a month after it was publicly disclosed.

The issue, tracked as CVE-2024-53677 (CVSS score of 9.5), is described as a file upload logic flaw that could enable an attacker to perform a path traversal attack.

“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution,” Apache notes in its advisory.

Essentially, attackers could exploit the vulnerability to place malicious files in restricted directories, which could allow them to steal data, execute arbitrary code, and potentially fully compromise systems.

“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows. Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications,” cloud security firm Qualys notes.

The bug impacts Struts versions 2.0.0 through 2.3.37 and 2.5.0 through 2.5.33, which have been discontinued, and version 6.0.0 through 6.3.0.2.

Advertisement. Scroll to continue reading.

Struts version 6.4.0 resolves the security defect by deprecating the vulnerable file upload mechanism FileUploadInterceptor. In addition to updating Struts, users should migrate to the new mechanism, ActionFileUploadInterceptor, which is not affected, Apache says.

However, the company warns that the change is not backward compatible and that users will have to rewrite their actions to start using the new mechanism.

“Keep using the old File Upload mechanism keeps you vulnerable to this attack,” Apache notes, explaining that no workaround is available.

CVE-2024-53677, Apache says, is like CVE-2023-50164 (CVSS score of 9.8), which started being targeted in attacks only days after being publicly disclosed in December last year.

Proof-of-concept (PoC) code targeting the newly resolved bug was published last week, and the first exploitation attempts started shortly after, Johannes Ullrich of the SANS Internet Storm Center warns.

“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich says.

Related: Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform

Related: LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover

Related: Many Apache Struts Security Advisories Updated Following Review

Related: Vulnerabilities in Zephyr’s Bluetooth LE Stack May Lead to DoS Attacks

Related Content

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Vulnerabilities

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Vulnerabilities

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Vulnerabilities

CISA says threat actors are exploiting a recently patched SharePoint remote code execution vulnerability (CVE-2026-45659).

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version