A critical vulnerability, CVE-2024-53677, has been identified in Apache Struts, a popular framework used for building web applications. This flaw, which carries a high CVSS score of 9.5, allows attackers to exploit file upload parameters and potentially execute remote code by performing path traversal attacks. The vulnerability shares similarities with a previous issue, CVE-2023-50164, which was addressed in December 2023 but led to exploitation attempts shortly after its disclosure. This recent discovery has once again put Apache Struts users at significant risk.
The flaw affects several versions of Struts, including Struts 2.0.0 to 2.3.37, Struts 2.5.0 to 2.5.33, and Struts 6.0.0 to 6.3.0.2, which are all vulnerable to exploitation. When successfully exploited, attackers can upload arbitrary files to vulnerable systems, potentially running malicious commands, exfiltrating sensitive data, or even downloading additional payloads for further exploitation. This makes it a serious security concern for organizations relying on Apache Struts to power critical business applications, both internal and external.
Security experts have observed that exploitation attempts matching the proof-of-concept for this vulnerability have already been detected in the wild. Attackers are reportedly scanning for vulnerable systems and attempting to locate uploaded scripts, which indicates that the flaw is actively being targeted. Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, mentioned that these attempts to exploit the vulnerability are ongoing, with scans originating from specific IP addresses.
To mitigate the risk of exploitation, Apache Struts users are strongly encouraged to upgrade to Struts 6.4.0 or higher, as the patch for CVE-2024-53677 has been included in these versions. Additionally, users should rewrite their code to utilize the updated Action File Upload mechanism and related interceptor. Given the importance of Apache Struts in many corporate IT stacks, the widespread potential for exploitation makes it critical for organizations to apply patches immediately to protect their systems and data from compromise.
Reference:
