CVE-2023-50164 is harder to exploit than the 2017 Struts bug behind the massive breach at Equifax, but don't underestimate the potential for attackers to use it in targeted attacks.
Concerns are high over a critical, recently disclosed remote code execution (RCE) vulnerability in Apache Struts 2 that attackers have been actively exploiting over the past few days. Isuzu Strut Mounts
Apache Struts is a widely used open source framework for building Java applications. Developers can use it to build modular Web applications based on what is known as the Model-View-Controller (MVC) architecture. The Apache Software Foundation (ASF) disclosed the bug on Dec. 7 and gave it a near maximum severity rating of 9.8 out of 10 on the CVSS scale. The vulnerability, tracked as CVE-2023-50164 has to do with how Struts handles parameters in file uploads and gives attackers a way to gain complete control of affected systems.
The flaw has evoked considerable concern because of its prevalence, the fact that it is remotely executable, and because proof-of-concept exploit code is publicly available for it. Since the disclosure of the flaw last week, multiple vendors — and entities such as ShadowServer — have reported seeing signs of exploit activity targeting the flaw.
The ASF itself has described Apache Struts as having a "huge user base," because of the fact that it has been around for more than two decades. Security experts estimate there are thousands of applications worldwide — including those in use at many Fortune 500 companies and organizations in government and critical infrastructure sectors — that are based on Apache Struts.
Many vendor technologies incorporate Apache Struts 2 as well. Cisco, for instance, is currently investigating all products that are likely affected by the bug and plans to release additional information and updates when needed. Products that are under scrutiny include Cisco's network management and provisioning technologies, voice and unified communications products and its customer collaboration platform.
The vulnerability affects Struts versions 2.5.0 to 2.5.32 and Struts versions 6.0.0 to 6.3.0. The bug is also present in Struts versions 2.0.0 to Struts 2.3.37, which are now end-of-life.
The ASF, security vendors and entities such as the US Cybersecurity and Information Security Agency (CISA) have recommended that organizations using the software immediately update to Struts version 2.5.33 or Struts 6.3.0.2 or greater. No mitigations are available for the vulnerability, according to the ASF.
In recent years, researchers have unearthed numerous flaws in Struts. Easily the most significant of them was CVE-2017-5638 in 2017, which affected thousands of organizations and enabled a breach at Equifax that exposed sensitive data belonging to a staggering 143 million US consumers. That bug is actually still floating around — campaigns using the just-discovered NKAbuse blockchain malware, for instance, are exploiting it for initial access.
Researchers at Trend Micro who analyzed the new Apache Struts vulnerability this week described it as a dangerous but considerably harder to exploit at scale than the 2017 bug, which was little more than a scan and exploit issue.
"The CVE-2023-50164 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide," Trend Micro researchers said.
The flaw basically allows an adversary to manipulate file upload parameters to enable path traversal: "This could potentially result in the uploading of a malicious file, enabling remote code execution," they noted.
To exploit the flaw, an attacker would first need to scan for and identify websites or Web applications using a vulnerable Apache Struts version, Akamai said in a report summarizing its analysis of the threat this week. They would then need to send a specially crafted request to upload a file to the vulnerable site or Web app. The request would contain hidden commands that would cause the vulnerable system to place the file in a location or directory from where the attack could access it and trigger the execution of malicious code on the affected system.
" The Web application must have certain actions implemented to enable the malicious multipart file upload," says Sam Tinklenberg, senior security researcher at