A proof-of-concept (PoC) exploit for the critical Apache Struts vulnerability, CVE-2024-53677, has been publicly released, raising alarm across the cybersecurity community.
This vulnerability, which scores a 9.5 on the CVSS scale, allows attackers to execute arbitrary code remotely by exploiting flaws in the framework’s file upload mechanism.
The vulnerability affects Apache Struts versions 2.0.0 through 2.5.33 and 6.0.0 through 6.3.0.2, with a fix available in version 6.4.0 and later.
The vulnerability stems from a path traversal flaw in the deprecated `FileUploadInterceptor` component of Apache Struts, a widely used Java-based web application framework.
By manipulating file upload parameters, attackers can bypass security restrictions to upload malicious files into unauthorized directories. This can lead to:
- Path Traversal: Uploading files to arbitrary locations within the server.
- Remote Code Execution (RCE): Executing malicious code, such as web shells or binary payloads, to gain full control of the compromised system.
The flaw is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, a vulnerability type that has historically led to significant breaches.
PoC Released – CVE-2024-53677
The release of PoC exploit code has significantly escalated the risk of mass exploitation.
Security researchers have observed early indicators of active attacks targeting vulnerable systems, with automated tools being leveraged to scan for and exploit susceptible instances of Apache Struts.
Given the widespread adoption of Struts in enterprise environments, this vulnerability poses a severe threat to organizations relying on older versions of the framework.
The timing of this development is particularly concerning as it coincides with reduced staffing levels during the holiday season, potentially delaying mitigation efforts.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The Apache Software Foundation has strongly advised all users to upgrade to version 6.4.0 or later immediately.
This update introduces a new `Action File Upload` mechanism that replaces the vulnerable component but requires code refactoring due to its non-backward compatibility.
For organizations unable to upgrade promptly, alternative measures include:
- Disabling the file upload functionality if not essential.
- Applying Web Application Firewall (WAF) rules to block malicious file uploads.
- Using third-party patches for legacy versions, such as those provided by HeroDevs.
Organizations must prioritize patching their systems or implementing compensatory controls to mitigate this critical vulnerability.
The release of the PoC exploit code underscores the urgency of addressing CVE-2024-53677 before it becomes a vector for widespread attacks akin to previous high-profile breaches.