Emerging Threat: Apache Struts CVE-2024-53677

What is CVE-2024-53677? 

CVE-2024-53677 is a critical (9.5) remote code execution (RCE) vulnerability affecting Apache Struts, an open-source framework for building Java-based web apps. This vulnerability affects the framework’s file upload logic, allowing attackers to enable paths traversal and perform remote code execution using malicious files. 

What assets are affected by CVE-2024-53677? 

The following assets are affected by CVE-2024-53677: 

• Struts 2.0.0 through Struts 2.3.37 (EOL)
• Struts 2.5.0 through Struts 2.5.33 (EOL)
• Struts 6.0.0 through Struts 6.3.0.2 

Apache noted that applications not using FileUploadInterceptor are not affected by this vulnerability.

Are fixes available? 

Upgrade: Customers are advised to upgrade to Struts 6.4.0 or greater. There is no fix available for Struts 2.0.0 through Struts 2.3.37 or Struts 2.5.0 through Struts 2.5.33, as they are no longer supported by Apache. 

Are there any other recommended actions to take? 

If it isn’t feasible to patch affected devices, organizations can migrate to the new file upload mechanism. 

However, this change is not backwards compatible. To prevent this vulnerability from being exploited, all existing actions using the old file upload mechanism must be rewritten to work with the new Action File Upload mechanism and its related interceptor. Continuing to use the old file upload mechanism, even after upgrading, will leave your application vulnerable to this attack. 

Is CVE-2024-53677 being actively exploited? 

A researcher from ISC SANS, Johannes Ulrich, reported that there have been active attempts to exploit this vulnerability linked to a single IP address. “We are seeing active exploit attempts for this vulnerability that match the PoC exploit code.

So far, attacks have been limited to attempts to enumerate vulnerable devices, using the exploit to upload a single line of code in a file named “exploit.jsp”. Upon successful exploitation, the file prints the “Apache Struts” spring, alerting attackers that the vulnerability is exploitable. 

What types of organizations are at risk from CVE-2024-53677? 

Widespread exploitation of this vulnerability is a serious threat because Apache Struts is used by enterprise organizations across the world due to its many integrations, data validation capabilities, and scalable architecture. Potentially impacted industries include financial institutions, government agencies, and airlines.   

How is CyCognito helping customers identify assets vulnerable to CVE-2024-53677? 

CyCognito is actively researching less intrusive detection methods to identify CVE-2024-53677 without taking actions that could alter or disrupt customer environments. For now, CyCognito is flagging assets that are potentially vulnerable alongside remediation instructions. 

Figure 1: The alert sent by CyCognito for CVE-2024-53677

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.