Global attackers actively exploit a severe vulnerability in Apache Struts 2, a popular open-source framework for developing Java web applications and websites. This alert comes from Australian and French authorities who anticipate widespread abuse. The Apache Foundation responded on December 7 with security updates to address this vulnerability, CVE-2023-50164.
In 2017, a similar critical flaw in Struts was exploited to steal data from over 147 million Americans from the U.S. credit bureau Equifax. The current vulnerability being exploited allows attackers to change file upload parameters. This leads to path traversal and the uploading of harmful files, ultimately enabling remote code execution, where the attacker gains control over the affected system.
Recently, the Shadowserver Foundation observed attacks using previously developed proof-of-concept exploit code. The Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and the internet giant Akamai have also reported misuse. Authorities advise organizations to update their Struts-based applications as they expect extensive abuse. Through this security loophole, attackers can install a backdoor or web shell, allowing sustained access to the compromised server and enabling further malicious activities.