CVE-2024-53677: Critical Apache Struts Vulnerability Under Active Attack
A critical vulnerability in Apache Struts 2 is being actively exploited by threat actors using publicly available exploits to identify vulnerable systems.
Apache Struts is an open-source framework for building Java-based web applications. It is widely utilized by various organizations, including government agencies, e-commerce platforms, financial institutions, and airlines.
Recently, Apache disclosed details of CVE-2024-53677 (CVSS score: 9.5), a flaw found in the file upload logic. The vulnerability affects Struts versions 2.0.0–2.3.37 (deprecated), 2.5.0–2.5.33, and 6.0.0–6.3.0.2. According to Apache’s security advisory, manipulation of file upload parameters allows for Path Traversal and, in some instances, enables attackers to upload malicious files, which can subsequently lead to Remote Code Execution (RCE).
In practice, this flaw permits the upload of web shells into protected directories. These files can execute commands, deploy additional malicious payloads, and exfiltrate sensitive data. Experts have drawn parallels between this vulnerability and CVE-2023-50164, suggesting a possible recurrence of the issue due to incomplete patching.
The SANS Internet Storm Center (ISC) has observed attempts to exploit the vulnerability using publicly available exploits. Current attack methods focus on enumerating vulnerable systems. Attackers have been seen uploading a file named “exploit.jsp,” containing a single line of code that displays the text “Apache Struts.” They then verify the script’s accessibility to confirm a successful breach. So far, exploitation attempts have been traced to a single IP address: 169.150.226.162.
To mitigate the risk, Apache strongly advises updating to Struts version 6.4.0 or later and adopting the new file upload mechanism. Applying a patch alone is insufficient; any code associated with file uploads must be revised to utilize the updated mechanism. Apache has cautioned that the legacy file upload system remains vulnerable. Organizations using Struts must adapt their configurations and associated interceptors to minimize exposure.
The active exploitation of this vulnerability has garnered attention from national cybersecurity agencies in Canada, Australia, and Belgium, which have issued alerts urging developers to take immediate action to safeguard their systems.
