New critical RCE vulnerability discovered in Apache Struts 2

Apache Struts 2 RCE Vulnerability

Apache has issued a security alert for a critical security flaw in the Struts 2 open-source web application framework that could lead to remote code execution.

Tracked as CVE-2023-50164the vulnerability is rooted in a flawed “file upload logic” that could allow unauthorized path traffic and under the circumstances could be exploited to upload a malicious file and achieve arbitrary code execution.

Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.

Steven Seeley of Source Incite is credited with discovering and reporting the flaw, which affects the following versions of the software:

  • Struts 2.3.37 (EOL)
  • Struts 2.5.0 – Struts 2.5.32, en
  • Struts 6.0.0 – Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and or later. There are no solutions that can solve the problem.

“All developers are strongly encouraged to perform this upgrade,” the project maintainers say said in an advisory posted last week. “This is a direct replacement and an upgrade should be simple.”

While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, there is already a security flaw in the software (CVE-2017-5638CVSS Score: 10.0) was weaponized by threat actors in 2017 to breach the consumer credit reporting agency Equifax.


Threat actors are to attempt Unpleasant exploit the flaw in unpatched Apache Struts servers after the Edition of a proof-of-concept (PoC), according to a after shared by the Shadowserver Foundation on X (formerly Twitter).

Web infrastructure and security company Akamai told The Hacker News that the vulnerability is “actively exploited to install web shells and then gain a foothold in targeted networks.”

“While CVE-2023-50164 is a serious security issue, it will be difficult for attackers to massively scan and exploit this vulnerability,” Praetorian researchers said. said. “The numerous preconditions needed to exploit the problem, along with the requirement that an application-defined file upload endpoint be accessible, make mass exploitation a challenge.”

Details of observed exploitation attempts

Akamai said in a December 14, 2023 update that the vulnerability could have been used to deliver JSP-based web shells that, when accessed by the attacker via a web browser or an automated script, trigger their execution, allowing them to perform follow-up actions . -up actions ranging from server takeover to data theft.

“Depending on the attacker’s intentions or motivations, they can maintain secret access for future exploitation or use the compromised server to conduct further attacks,” Akamai researchers said. noted.

Cybersecurity company Trend Micro said multiple threat actors have joined the exploitation bandwagon, but emphasized that “exploiting this vulnerability at scale will be a significant challenge for attackers, as it lacks the same simple scanning and exploitation capabilities observed in CVE-2017-5638.”


#critical #RCE #vulnerability #discovered #Apache #Struts

Notify of
Inline Feedbacks
View all comments
Previous Post

Apple releases security updates to fix critical iOS and macOS security flaws

Next Post
Researchers expose Sandman APT's hidden link to China-based KEYPLUG Backdoor

Researchers expose Sandman APT’s hidden link to China-based KEYPLUG Backdoor

Related Posts