New critical Apache Struts flaw exploited to find vulnerable servers
A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices.
Apache Struts is an open-source framework for building Java-based web applications used by various organizations, including government agencies, e-commerce platforms, financial institutions, and airlines.
Apache publicly disclosed the Struts CVE-2024-53677 flaw (CVSS 4.0 score: 9.5, "critical") six days ago, stating it is a bug in the software's file upload logic, allowing path traversals and the uploading of malicious files that could lead to remote code execution.
It impacts Struts 2.0.0 through 2.3.37 (end-of-life), 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2.
"An attacker can manipulate file upload parameters to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution," reads the Apache security bulletin.
In short, CVE-2024-53677 allows attackers to upload dangerous files like web shells into restricted directors and use them to remotely execute commands, download further payloads, and steal data.
The vulnerability is similar to CVE-2023-50164, and there's speculation that the same issue has re-emerged due to an incomplete fix, a problem that has previously plagued the project in the past.
ISC SANS' researcher Johannes Ullrich reports seeing exploitation attempts that appear to use publicly available exploits or are at least heavily inspired by them.
"We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems," reports Ullrich.
Attackers are enumerating vulnerable systems by using the exploit to upload an "exploit.jsp" file that contains a single line of code to print the "Apache Struts" string.
The exploiter then attempts to access the script to verify that the server was successfully exploited. Ullrich says the exploitation has only been detected from a single IP address, 169.150.226.162.
To mitigate the risk, Apache says users should upgrade to Struts 6.4.0 or later and migrate to the new file upload mechanism.
Merely applying the patch isn't enough, as the code that handles file uploads in Struts applications needs to be rewritten to implement the new Action File Upload mechanism.
"This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor," warns Apache.
"Keep using the old File Upload mechanism keeps you vulnerable to this attack."
With active exploitation underway, multiple national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued public alerts urging impacted software developers to take immediate action.
Exactly a year ago, hackers leveraged publicly available exploits to attack vulnerable Struts servers and achieve remote code execution.
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
CISA orders federal agencies to secure Microsoft 365 tenants
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
HighCWE-772 Missing Release of Resource after Effective Lifetime
CWE-1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-1276 Hardware Child Block Incorrectly Connected to Parent System
CWE-1087 Class with Virtual Method without a Virtual Destructor
CWE-164 Improper Neutralization of Internal Special Elements
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Free online web security scanner