Risk actors are trying to take advantage of a lately disclosed safety flaw impacting Apache Struts that might pave the best way for distant code execution.
The difficulty, tracked as CVE-2024-53677, carries a CVSS rating of 9.5 out of 10.0, indicating essential severity. The vulnerability shares similarities with one other essential bug the challenge maintainers addressed in December 2023 (CVE-2023-50164, CVSS rating: 9.8), which additionally got here beneath energetic exploitation shortly after public disclosure.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution,” in line with the Apache advisory.
In different phrases, profitable exploitation of the flaw might permit a malicious actor to add arbitrary payloads to prone situations, which might then be leveraged to run instructions, exfiltrate knowledge, or obtain further payloads for follow-on exploitation.
The vulnerability impacts the next variations, and has been patched in Struts 6.4.0 or larger –
- Struts 2.0.0 – Struts 2.3.37 (Finish-of-Life),
- Struts 2.5.0 – Struts 2.5.33, and
- Struts 6.0.0 – Struts 6.3.0.2
Dr. Johannes Ullrich, dean of analysis for SANS Expertise Institute, stated that an incomplete patch for CVE-2023-50164 could have led to the brand new downside, including exploitation makes an attempt matching the publicly-released proof-of-concept (PoC) have been detected within the wild.
“At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich famous. “Next, the attacker attempts to find the uploaded script. So far, the scans originate only from 169.150.226[.]162.”
To mitigate the chance, customers are really helpful to improve to the most recent model as quickly as potential and rewrite their code to make use of the brand new Motion File Add mechanism and associated interceptor.
“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows,” Saeed Abbasi, product supervisor of Risk Analysis Unit at Qualys, stated. “Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications.”
