Cybersecurity researchers have identified active attacks exploiting a critical flaw in Apache Struts 2, a popular framework for building Java-based web applications. The vulnerability, tracked as CVE-2024-53677, has been targeted by threat actors using publicly accessible proof-of-concept (PoC) tools to compromise unpatched systems. This flaw allows attackers to bypass security measures, potentially gaining full control over affected servers.
Apache Struts, an open-source framework, supports critical operations for various organisations, including government entities, financial institutions, e-commerce platforms, and airlines. Given a common vulnerability scoring system (CVSS) 4.0 score of 9.5, the vulnerability stems from a flaw in the software’s file upload mechanism, allowing path traversal and the upload of malicious files. This can result in remote code execution (RCE), enabling attackers to steal sensitive data, deploy further payloads, or execute malicious commands remotely.
The vulnerability affects multiple versions of Apache Struts, including Struts 2.0.0 to 2.3.37 and Struts 2.5.0 to 2.5.33, both of which are no longer supported and considered end-of-life. Additionally, the issue is present in the more recent versions Struts 6.0.0 through 6.3.0.2. All are susceptible to exploitation that could lead to RCE, making the issue particularly severe. Johannes Ullrich, a researcher at ISC SANS, reported observing exploitation attempts leveraging PoC exploit codes. Attackers are actively scanning for vulnerable systems by uploading a file named “exploit.jsp,” which is designed to confirm successful exploitation by displaying the “Apache Struts” string.
Ullrich noted that, to date, exploitation activity has been linked to a single IP address 169.150.226.162, but warned that this could escalate as awareness of the vulnerability grows. The attack pattern bears similarities to a previous issue, CVE-2023-50164, prompting speculation that the latest flaw could stem from an incomplete fix, a recurring challenge for the Struts project.
Mitigation requires urgent action
To address the vulnerability, users are advised to upgrade to Struts version 6.4.0 or later. However, applying the upgrade alone is not sufficient. Organisations must also migrate to the Action File Upload mechanism, as the legacy file upload logic leaves systems exposed to attack. This migration involves rewriting file upload actions to align with the new mechanism, which is not backwards-compatible. “This change isn’t backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor,” stated Apache. “Keep using the old File Upload mechanism keeps you vulnerable to this attack.”
Cybersecurity agencies in multiple countries, including Canada, Australia, and Belgium, have issued public warnings urging organisations to act swiftly. Vulnerable systems remain at significant risk of being compromised if remedial actions are not taken. This latest vulnerability underscores the persistent risks associated with outdated and unpatched software. The Apache Struts framework has been a target of high-profile attacks in the past, including the notorious Equifax data breach in 2017, which exposed the personal information of nearly 150 million people.
Read more: Ivanti patches high-severity vulnerabilities in CSA after exposure of critical flaws
