Cybersecurity experts have raised alarms about threat actors exploiting a newly uncovered vulnerability in Apache Struts—labeled CVE-2024-53677. This flaw carries a critical CVSS score of 9.5, underscoring its severity. Exploiting this vulnerability could allow attackers to upload harmful files, leading to potential remote code execution. According to an advisory from Apache, attackers can manipulate file upload parameters to achieve path traversal, which, under certain conditions, enables the upload of malicious files for remote code execution.

Affected Versions:

Struts 2.0.0 through Struts 2.3.37 (End of Life)

Struts 2.5.0 through Struts 2.5.33 (End of Life)

Struts 6.0.0 through Struts 6.3.0.2

Dr. Johannes Ullrich, a senior researcher at SANS Technology, noted that this vulnerability is linked to the previously identified CVE-2023-50164. An insufficient patch for the older flaw appears to have contributed to this new exploit. Ullrich confirmed that hackers are leveraging publicly available proof-of-concept (PoC) code to carry out attacks. “CVE-2024-53677 seems interconnected with CVE-2023-50164,” Ullrich explained. “The earlier vulnerability bore similarities, and its partial remediation likely paved the way for the current issue. PoC exploits are out there, and we're witnessing attempts to exploit this vulnerability that align with the PoC code.”

Recommendations

Users are urged to upgrade to Struts 6.4.0 or a later version and implement the Action File Upload Interceptor to mitigate risks.

The link has been copied!