Active Exploitation of Newly Patched Apache Struts Vulnerability

December 17, 2024

A critical vulnerability in Apache Struts 2, identified as CVE-2024-53677, is being actively exploited in order to seek out vulnerable servers. Apache Struts is an open-source framework used for creating web applications in Java and is utilized by a range of organizations, from government agencies to financial institutions. The vulnerability, which is situated in the software's file upload logic, permits path traversals and the uploading of harmful files, potentially resulting in remote code execution. The flaw affects Struts versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2.

The Apache security bulletin states that, 'An attacker can manipulate file upload parameters to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution.' Essentially, CVE-2024-53677 enables attackers to upload harmful files like web shells into restricted directories, and then use them to execute commands remotely, download further payloads, and steal data. This vulnerability is similar to CVE-2023-50164, leading to conjecture that an incomplete fix for the previous issue has allowed the problem to resurface.

Johannes Ullrich, a researcher at ISC SANS, has reported seeing attempts at exploitation that seem to be using publicly available exploits or are heavily influenced by them. 'We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,' reports Ullrich.

To reduce the risk, Apache recommends that users upgrade to Struts 6.4.0 or a later version and switch to the new file upload mechanism. Simply applying the patch is not sufficient, as the code that manages file uploads in Struts applications must be rewritten to implement the new Action File Upload mechanism. Apache warns that, 'Keep using the old File Upload mechanism keeps you vulnerable to this attack.'

In response to the active exploitation, several national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued public alerts urging affected software developers to take immediate action. This comes a year after hackers used publicly available exploits to attack vulnerable Struts servers and achieve remote code execution.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.