Connect with us

Hi, what are you looking for?


Application Security

Hackers Exploit Recently Patched Apache Struts Flaw

A critical remote code execution vulnerability patched earlier this week in the Apache Struts 2 open-source development framework is already being exploited in the wild.

A critical remote code execution vulnerability patched earlier this week in the Apache Struts 2 open-source development framework is already being exploited in the wild.

The flaw, tracked as CVE-2017-9805, affects applications that use the REST plugin with the XStream handler for XML payloads, and it exists due to the way Struts deserializes untrusted data. An exploit and a Metasploit module for the vulnerability were created within hours after the patch was released.

lgtm, the company that discovered the flaw, warned that at least 65 percent of Fortune 100 companies use Struts and they could all be exposed to remote attacks due to this vulnerability.

However, Contrast Security, which provides protection against these types of exploits, said only less than one percent of its customers’ Java applications use the problematic REST plugin. Furthermore, data from the Maven repository shows that less than a dozen applications use this plugin.

Nevertheless, security firms have already started seeing exploitation attempts. Cisco Talos and Belgium-based NVISO Labs both spotted attacks whose apparent goal was to find vulnerable servers. The attacks spotted by these companies involved a Russian website sending the requests and receiving the results of the exploitation attempt.

Cisco has also observed attacks whose goal was to deliver a potentially malicious file. Researchers were unable to determine what payload had been served, but based on previous Apache Struts attacks, they believe it was likely DDoS bots, spam bots or other malware.

“Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred,” explained Cisco’s Nick Biasini. “However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today’s reality you no longer have weeks or months to respond to these type of vulnerabilities, it’s now down to days or hours and every minute counts.”

CVE-2017-9805 was patched by Apache Struts developers with the release of version 2.5.13, which also addresses a couple of less severe denial-of-service (DoS) vulnerabilities tracked as CVE-2017-9804 and CVE-2017-9793.

Advertisement. Scroll to continue reading.

Cisco informed customers on Thursday that it’s working to determine which of its products are affected by these flaws. At the time of publication, only Cisco Emergency Responder is impacted, but not by the critical remote code execution weakness. The previously exploited Apache Struts 2 vulnerability, tracked as CVE-2017-5638, affected more than 20 Cisco products.

In the meantime, Struts developers released another update, version 2.3.34, which addresses an additional remote code execution vulnerability tracked as CVE-2017-12611. However, this vulnerability, related to Freemarker tags, has been classified as having moderate severity.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...