Struts File Upload Vulnerability Could Lead to Remote Code Execution
Key Information
- Vendor
- Apache
- Status
- Apache Struts
- Vendor
- CVE Published:
- 7 December 2023
Badges
Summary
The CVE-2023-50164 vulnerability in Apache Struts enables remote code execution and is being actively exploited by threat actors. It affects a wide range of systems, including those used by Fortune 500 companies and various industries. The vulnerability requires specific conditions for exploitation, limiting the scope of potential attacks but still posing a significant risk. It is crucial for organizations to upgrade to the recommended Struts versions to address the issue. It's also important to note that previous vulnerabilities in Apache Struts have been exploited by ransomware groups, highlighting the urgency of addressing this vulnerability.
Affected Version(s)
Apache Struts <= 2.5.32
Apache Struts <= 6.3.0.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Cyber Threat Intelligence Reports | Risk Research | Out of Band
Cyber Threat Intelligence Reports and the latest research on Cybersecurity risks applicable to an organization, its industry, and geography.
10 months ago
Patch Now: Exploit Activity Mounts for Dangerous Apache Struts 2 Bug
CVE-2023-50164 is harder to exploit than the 2017 Struts bug behind the massive breach at Equifax, but don't underestimate the potential for attackers to use it in targeted attacks.
10 months ago
80 percent of Struts 2 downloads include critical flaw
Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code. The...
11 months ago
EPSS Score
16% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by BleepingComputer
Vulnerability published.
Vulnerability Reserved.