Hackers are actively exploiting a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts, a widely-used open-source web application framework. The flaw, allowing remote code execution, is being targeted in attacks that leverage publicly available proof-of-concept exploit code. Shadowserver scanning platform researchers observed a small number of IP addresses engaged in exploitation attempts. The security issue, identified as a path traversal flaw, can lead to unauthorized access, data theft, service disruption, and lateral movement in compromised networks.
Apache released patched versions (220.127.116.11 and 2.5.33) on December 7 to address the CVE-2023-50164 vulnerability. This flaw can be exploited under specific conditions, allowing an attacker to upload malicious files and achieve remote code execution on the target server. The vulnerability affects various Struts versions, including end-of-life versions, and poses a significant risk to organizations across different sectors. Cisco is currently investigating the impact of the vulnerability on its products that use Apache Struts, including Customer Collaboration Platform, Identity Services Engine, Nexus Dashboard Fabric Controller, Unified Communications Manager, Unified Contact Center Enterprise, and Prime Infrastructure.
The threat actor exploiting this vulnerability could potentially manipulate sensitive files, steal data, disrupt critical services, or move laterally within the network. The publication of a technical write-up and exploit code for CVE-2023-50164 has increased the risk, prompting organizations to update their Struts installations promptly. The ongoing investigations by Cisco and the potential impact on various products highlight the urgency for organizations to assess and mitigate the risks associated with this actively exploited Apache Struts vulnerability.