A severe security flaw in Apache Struts 2 (CVE-2024-53677) is currently being exploited in the wild, threatening numerous organizations worldwide. The vulnerability, which received a critical CVSS score of 9.5, affects multiple versions of the popular Java web application framework.
The vulnerability exists in Struts’ file upload mechanism, enabling attackers to perform path traversals and upload malicious files, potentially leading to remote code execution. Affected versions include Struts 2.0.0 through 2.3.37, 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2.
Security researchers have observed active exploitation attempts using public proof-of-concept code. Current attacks focus on identifying vulnerable systems by uploading test files containing simple verification code. These attempts have been traced to a specific IP address (169.150.226.162).
Mitigation Requirements:
– Upgrade to Struts 6.4.0 or later
– Implement the new Action File Upload mechanism
– Rewrite existing file upload code (patch alone is insufficient)
Multiple national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued alerts regarding this threat. The vulnerability bears similarities to CVE-2023-50164, suggesting a possible recurrence of a previously incomplete fix.
Organizations using Apache Struts, particularly government agencies, e-commerce platforms, financial institutions, and airlines, are urged to implement these security measures immediately to prevent potential system compromises.