Menace actors try to take advantage of a not too long ago disclosed safety flaw impacting Apache Struts that would pave the best way for distant code execution.
The difficulty, tracked as CVE-2024-53677, carries a CVSS rating of 9.5 out of 10.0, indicating vital severity. The vulnerability shares similarities with one other vital bug the venture maintainers addressed in December 2023 (CVE-2023-50164, CVSS rating: 9.8), which additionally got here below energetic exploitation shortly after public disclosure.
“An attacker can manipulate file add params to allow paths traversal and below some circumstances this could result in importing a malicious file which can be utilized to carry out Distant Code Execution,” in response to the Apache advisory.
In different phrases, profitable exploitation of the flaw may enable a malicious actor to add arbitrary payloads to inclined cases, which may then be leveraged to run instructions, exfiltrate knowledge, or obtain extra payloads for follow-on exploitation.
The vulnerability impacts the next variations, and has been patched in Struts 6.4.0 or larger –
- Struts 2.0.0 – Struts 2.3.37 (Finish-of-Life),
- Struts 2.5.0 – Struts 2.5.33, and
- Struts 6.0.0 – Struts 6.3.0.2
Dr. Johannes Ullrich, dean of analysis for SANS Know-how Institute, mentioned that an incomplete patch for CVE-2023-50164 might have led to the brand new drawback, including exploitation makes an attempt matching the publicly-released proof-of-concept (PoC) have been detected within the wild.
“At this level, the exploit makes an attempt try to enumerate susceptible techniques,” Ullrich famous. “Subsequent, the attacker makes an attempt to seek out the uploaded script. To date, the scans originate solely from 169.150.226[.]162.”
To mitigate the chance, customers are advisable to improve to the newest model as quickly as doable and rewrite their code to make use of the brand new Motion File Add mechanism and associated interceptor.
“Apache Struts sits on the coronary heart of many company IT stacks, driving public-facing portals, inner productiveness functions, and significant enterprise workflows,” Saeed Abbasi, product supervisor of Menace Analysis Unit at Qualys, mentioned. “Its recognition in high-stakes contexts implies that a vulnerability like CVE-2024-53677 may have far-reaching implications.”