There are significant concerns over a critical, recently disclosed remote code execution (RCE) vulnerability in Apache Struts 2 that attackers have been actively exploiting over the past few days. Apache Struts is a widely used open source framework for building Java applications, allowing developers to build modular Web applications based on the Model-View-Controller (MVC) architecture. The Apache Software Foundation (ASF) disclosed the bug on Dec. 7 and rated it 9.8 out of 10 on the CVSS scale. The vulnerability, tracked as CVE-2023-50164, relates to how Struts handles parameters in file uploads, providing attackers with the ability to gain complete control of affected systems.
The flaw has raised considerable concern due to its prevalence, remote executability, and the availability of proof-of-concept exploit code. Multiple vendors and entities have reported signs of exploit activity targeting the flaw since its disclosure. The vulnerability affects Struts versions 2.5.0 to 2.5.32 and Struts versions 6.0.0 to 6.3.0, and there are no known mitigations available. Organizations using the software are recommended to immediately update to Struts version 2.5.33 or Struts 6.3.0.2 or greater. Despite being considerably difficult to exploit at large, the vulnerability poses a significant security risk to organizations worldwide, due to Apache Struts’ extensive integration in various critical systems.
Security experts have highlighted the potential for targeted attacks given Apache Struts’ extensive use in various critical systems, including those in Fortune 500 companies, government, and critical infrastructure sectors. Additionally, Cisco is investigating all products likely affected by the bug and plans to release additional information and updates when needed, emphasizing the widespread impact of the vulnerability. The presence of this vulnerability in such a widely adopted framework raises significant security concerns, making widespread attacks difficult but possible.