On December 15, 2024, reports emerged that threat actors have begun attempting to exploit a recently disclosed critical vulnerability in Apache Struts (CVE-2024-53677) shortly after the publication of a Proof-of-Concept (PoC) exploit.
Apache Struts is a widely used open-source web application framework for developing Java-based applications. CVE-2024-53677 is a file upload path traversal vulnerability in Struts that allows attackers to upload files to restricted directories, potentially leading to Remote Code Execution (RCE) if a webshell is uploaded and exposed in the web root. The fix for this vulnerability was released on December 10th.
Apache Struts has been an attractive target for threat actors, as evidenced by several RCE vulnerabilities affecting Apache Struts being listed in CISA’s Known Exploited Vulnerabilities Catalog. Threat actors may target CVE-2024-53677 in the near term due to the publicly accessible PoC, which lowers the barrier to exploitation. Exploitation attempts have quickly followed PoC releases, as demonstrated by the surge in attempts after the publication of PoC exploit code for CVE-2024-0012 and CVE-2024-9474 in Palo Alto Networks PAN-OS in November.
Recommendations for CVE-2024-53677
Upgrade to Latest Fixed Version
Where feasible, Arctic Wolf strongly recommends upgrading Apache Struts to the latest version.
| Product | Affected Version | Fixed Version |
| Apache Struts | 2.0.0 – 2.3.37 (EOL) | 6.4.0 or later, and must migrate to the new file upload mechanism. |
| 2.5.0 – 2.5.33 | ||
| 6.0.0 – 6.3.0.2 |
This update is not backward compatible, meaning you must modify the code in your application(s) responsible for handling user actions, such as file uploads, to use the new Action File Upload mechanism and its associated interceptor. Continuing to use the old file upload mechanism will leave your application vulnerable to this attack.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Closely Monitor Software Vendor Patch Advisories Related to CVE-2024-53677
While Apache has released a fix for CVE-2024-53677, the security patch is not automatically applied to software products that use the framework. The best method for remediating CVE-2023-50164 in third-party software products is to apply the official security updates from the vendor of each affected software product.
We strongly recommend monitoring software vendor advisories for security updates that remediate CVE-2023-50164 in your environment and applying available security update promptly.
References
