Connect with us

Hi, what are you looking for?



Recent Apache Struts 2 Vulnerability in Attacker Crosshairs

Attackers are attempting to exploit a critical RCE flaw in Apache Struts 2 after researchers publish PoC code.

Threat actors have started probing internet-accessible Apache Struts 2 instances affected by a recently disclosed remote code execution (RCE) flaw.

The critical-severity bug, tracked as CVE-2023-50164 (CVSS score of 9.8), was disclosed a week ago, when the Apache Software Foundation announced patches for it, urging customers to apply them immediately.

In its advisory, the non-profit organization explained that the issue resides in Struts’ file upload logic and that it could enable path traversal. Under certain circumstances, it allows an attacker to upload a malicious file and achieve RCE.

The security defect exists in the /upload.action endpoint, allowing an attacker to manipulate file upload parameters, cybersecurity firm Trend Micro says. Parameters are treated differently based on case sensitivity, but recent changes made by Apache led to case-insensitive HTTP parameters.

“The vulnerability in Apache Struts arises from parameter pollution. In this scenario, an attacker can manipulate the request by modifying the initial parameter and subsequently introducing an additional parameter in lowercase. This lowercased parameter can then override an internal file name variable, leading to the exploitation of the system,” Trend Micro explains.

Upon file upload, Struts creates a temporary file that is deleted after the file is written to the assigned path value. However, if the cached file exceeds a certain value, it is not deleted.

It was discovered that, if the attacker can control the filename value of the temporary file, they can exploit CVE-2023-50164 to upload a malicious payload.

When the arguments from the HTTP request are processed, if the manipulated filename value has path traversal characters, the bug leads to check bypass, allowing the payload to persist.

Advertisement. Scroll to continue reading.

Trend Micro notes that it has seen broad exploitation of the vulnerability, with multiple threat actors targeting it in malicious attacks.

However, the cybersecurity firm also notes that “exploiting this vulnerability at scale becomes significantly challenging for attackers, as it lacks the same straightforward scanning and exploitation capabilities observed in CVE-2017-5638”, an unauthenticated OS command execution bug in Struts 2 that was exploited to hack Equifax in 2017.

Along with Trend Micro, Akamai, Malwarebytes, and the Shadowserver Foundation too have seen exploitation attempts targeting CVE-2023-50164, but it is unclear if the attackers were able to breach the targeted environments. Some of these attempts rely on recently released proof-of-concept (PoC) exploit code, while others are deviations from the PoC.

CVE-2023-50164 impacts Struts versions 2.0.0 to 2.3.37 (which reached end of life), 2.5.0 to 2.5.32, and 6.0.0 to 6.3.0. Apache addressed the bug in Struts versions 2.5.33 and All Struts users are advised to upgrade to a patched version as soon as possible.

Related: Sophos Patches EOL Firewalls Against Exploited Vulnerability

Related: Recent NetScaler Vulnerability Exploited as Zero-Day Since August

Related: Zimbra Zero-Day Exploited to Hack Government Emails

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.