Attackers are trying to leverage public proof-of-exploit (PoC) exploit code for CVE-2023-50164, the recently patched path traversal vulnerability in Apache Struts 2.
“Attackers aim to deploy webshells, with some cases targeting the parameter ‘fileFileName’ – a deviation from the original exploit PoC,” Akamai’s Security Intelligence Group flagged on Wednesday.
The Shadowserver Foundation has also started noticing exploitation attempts in their sensors, though they don’t see them succeeding.
About the vulnerability
CVE-2023-50164, reported by Steven Seeley of Source Incite, enables path traversal by manipulating of file upload parameters and, in some cases, may allow attackers to upload malicious files that can be used to achieve remote code execution.
The vulnerability affects Apache Struts versions:
- 2.0.0 through 2.5.32
- 6.0.0 through 6.3.0.1
- 2.0.0 through 2.3.37 (which are no longer supported)
It has been fixed in Apache Struts versions 2.5.33 and 6.3.0.2, and Struts 2 developers and users have been urged to upgrade as soon as possible – there are no workarounds.
PoC exploit code for CVE-2023-50164 is public
An analysis and reproduction of the bug has been published on December 12 and the author noted that “this vulnerability requires different POCs to be produced according to different scenarios, because if strict interception and inspection are carried out at the file upload point, it will be difficult to bypass.”
A PoC exploit script has been released on December 13 by vulnerability researcher Ákos Jakab, but it works only when the target app is deployed to Apache Tomcat.