It turns out that even in the world of software, ‘old’ doesn’t mean ‘gone.’ In a report shared with Hackread.com, cybersecurity researchers at Sonatype revealed a massive spike in downloads of long-outdated Apache Struts versions.
We are talking about a specific flaw called CVE-2025-68493. What makes this discovery unique is how it was found. According to the Apache Struts security bulletin (S2-069), it was identified by Zast AI, an autonomous AI security research system.
As we know it, AI is now hunting for bugs faster than humans can, which is a bit of a double-edged sword because while it finds the holes, it also gives organisations almost no time to react before someone else exploits them.
What’s actually broken?
According to Sonatype researchers, the problem lies in the XWork component, which is the main engine that helps the software process data, whereas the flaw involves ‘unsafe XML parsing,’ basically, the way the software reads instructions.
“The real risk does not emerge at disclosure,” the researchers noted in the blog post, “it emerges in the lag between knowing and changing what is actually deployed.”
Further probing revealed that an attacker doesn’t need to be a master spy or take full control of a computer to cause trouble. By sending “crafted input,” they can force the system into an infinite loop, eating up CPU and memory until it crashes. It is a digital heart attack for a web server. This flaw impacts a huge range of versions, from 2.0.0 through 6.1.0, and carries a high severity score of 8.8.
The Dead Software Problem
The real shocker is the scale of the risk. In just one week, over 387,000 people downloaded these vulnerable versions, and a whopping 98% of those downloads were for End-of-Life (EOL) versions.
These are versions like Struts 2.3, which haven’t seen an official update in over 2,200 days. If you are using these, there is no official patch coming to save you because the creators stopped supporting them years ago.
The Fix
Further investigation revealed that while a safe version, Struts 6.1.1, is available, almost nobody is using it yet. This new version includes “stricter parser hardening” to block these attacks. Currently, only about 1.8% of the downloads (6,243 downloads) over the same period were for the secure version.
Researchers noted that these old versions remain “deeply embedded” in company systems, making them a ticking time bomb. Every version before 6.1.1 should be considered dangerous. If you’re a developer or a business owner, check your versions now, as the window to fix this is closing fast.