Date of Disclosure (source): December 11, 2024
Date Reported as Actively Exploited (source): December 17, 2024
CVE-2024-53677 allows attackers to execute arbitrary code on affected servers running the Apache Struts web framework. This flaw stems from improper input validation, enabling malicious actors to perform remote code execution and potentially take full control of compromised systems.
A public exploit for this CVE is now available, and multiple malicious hosts were observed targeting it in GreyNoise in the last few days. Organizations using Apache Struts are urgently advised to apply the latest security patches and enhance their monitoring measures to protect against ongoing exploitation attempts.
| Field |
Details |
| CVE-ID |
CVE-2024-53677 – CVSS 9.5 (critical) – assigned by Apache Software Foundation |
| Vulnerability Description |
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. |
| Date of Disclosure |
December 11, 2024 |
| Affected Assets |
Apache Struts file upload mechanism |
| Vulnerable Software Versions |
- Struts 2.0.0 through Struts 2.3.37 (EOL)
- Struts 2.5.0 through Struts 2.5.33 (EOL)
- Struts 6.0.0 through Struts 6.3.0.2
|
| PoC Available? |
A PoC exploit is publicly available on GitHub. |
| Exploitation Status |
An article from Bleeping Computer includes reports of exploitation attempts appearing to use publicly available exploits. This article additionally reports that exploitation has only been observed from a single IP address, 169.150.226[.]162. Additionally, multiple hosts were observed exploiting this vulnerability in GreyNoise. |
| Patch Status |
Apache has advised customers to upgrade to Struts 6.5.0 or greater and use Action File Upload Interceptor. |
Censys Perspective
At the time of writing, Censys observed 13,539 exposed web applications utilizing the Apache Struts framework. A large proportion of these (69%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.
Apache Struts is difficult to fingerprint because it is deeply integrated with web applications and lacks distinctive signatures, making it challenging to detect using standard identification methods.
Map of Exposed Instances Running Apache Struts:
Censys Search Query:
services.software: (vendor="Apache" and product="Struts") and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software.vendor="Apache" and host.services.software.product="Struts" and not host.labels: {honeypot, tarpit}
Note that this fingerprint was recently deployed and results may take 24 hours to fully propagate.
The following query can be used as a strong indicator of Apache Struts. However, it has a lower confidence level than the query above and requires further investigation on the host to confirm that Struts is in use:
services: ("index.action" and http.response.headers:(key="Set-Cookie" and value.headers:"JSESSIONID") and http.response.status_code=200)
References
