A recently discovered critical vulnerability of Apache Struts has been found to be under active exploitation. The flaw covered under CVE-2024-53677 carries a CVSS score of 9.5 out of 10 and could lead to remote code execution on successful exploitation under specific conditions.
The attack could be carried out by manipulating the file upload parameters to allow the traversing path to reach a point where a malicious payload can be uploaded to achieve remote code execution. The high-severity flaw can enable the attacker to use a malicious payload to get hold of the target instance and carry data exfiltration by running arbitrary commands.
The vulnerability impacts the following versions and has been patched in Struts 6.4.0 or greater -
- Struts 2.0.0 – Struts 2.3.37 (End-of-Life),
- Struts 2.5.0 – Struts 2.5.33, and
- Struts 6.0.0 – Struts 6.3.0.2
The popularity of Apache Struts implementation across the industry makes the flaw even more lethal and would surely attract the attention of threat actors. There has been active reconnaissance being carried out by attackers hunting for vulnerable instances, and the only action to keep your systems safe is to implement an immediate upgrade to the advised stable version. Users are recommended to upgrade to the latest version as soon as possible and rewrite their code to use the new Action File Upload functionality and related interceptor to mitigate the risk.
