Advisory: Exploitation attempts of critical Apache Struts vulnerability (CVE-2024-53677)
mnemonic has observed wide exploitation attempts against the recently disclosed vulnerability. Successful exploitation may lead to Remote Code Execution.
Written by:
Background
On December 11th 2024, Apache disclosed a critical vulnerability in Struts2 related to flawed file upload logic. Tracked as CVE-2024-53677, the vulnerability has been identified as a path traversal issue with a CVSS score of 9.5.
If exploited, the vulnerability enables path traversal and unauthorised file uploads to restricted directories, potentially leading to Remote Code Execution if a web shell is uploaded and exposed. Apache disclosed similar critical vulnerability CVE-2023-50164 in December 2023. Read our advisory for CVE-2023-50164.
The vulnerability is categorised as CWE-434: Unrestricted Upload of File with Dangerous Type. This type of vulnerability indicates that the product allows uploads or transfers of dangerous file types that are automatically processed within its environment.
Threat Intelligence assessment
The vulnerability presents a significant risk to organisations exposing the affected software to a larger audience. This is due to the potential for remote code execution and the ease of exploitation. Additionally, the file upload functionality in Apache Struts has previously been involved in critical vulnerabilities, such as CVE-2023-50164. Considering the attack vector being the same for both vulnerabilities, this indicates inadequate code review of the functionality.
SANS reports public attempts at enumerating vulnerable systems. mnemonic are also observing similar traffic towards our customer base.
Successful exploitation of this vulnerability could allow threat actors to run arbitrary commands on affected instances and compromise the affected systems. Publicly available Proof of Concept code (PoC) has been observed on GitHub, which lowers the barrier for malicious actors to perform exploitation. An increased volume of attacks is expected in the coming days.
mnemonic is continuously monitoring the situation and have first-hand observations of wide exploitation attempts.
Affected systems
The following versions are affected
- Struts 2.0.0 through Struts 2.3.37 (EOL)
- Struts 2.5.0 through Struts 2.5.33 (EOL)
- Struts 6.0.0 through Struts 6.3.0.2
Recommendations
Users are strongly encouraged to upgrade to Apache Struts 6.4.0 or a newer version and transition to the updated file upload mechanism. This migration is essential for maintaining security and stability, even though it is not backward compatible and may require rewriting certain actions and interceptors. Relying on the legacy file upload method exposes systems to vulnerabilities.
mnemonic also advises to evaluate the file upload functionality for Apache Struts application as higher risk, given the same functionality has been exposed to two instances of Critical vulnerabilities causing remote code execution within the same attack surface. Organisations are encouraged to disable this feature if it is not in use. Alternatively, applying Web Application Firewall (WAF) rules can be enabled to prevent misuse of this application.
Detection coverage for mnemonic MDR customers
mnemonic is continuously monitoring the situation and actively implementing detections for the vulnerability and as new information becomes available.
Argus Continuous Vulnerability Monitoring (ACVM) customers can perform an Observation Search for CVE-2024-53677 to find all observations matched in your environment.