CVE-2024–53677: A Critical Vulnerability in Apache Struts Exposing Over 83,000 Targets
A critical vulnerability, CVE-2024–53677, has been identified in the popular Apache Struts framework, threatening the security of thousands of systems worldwide. This flaw, caused by weaknesses in the file upload mechanism, allows attackers to execute arbitrary code remotely. With over 83,000 targets identified on Fofa at the time of writing, the exposure is substantial, demanding immediate action from organizations using Apache Struts.
Key Details
Vulnerability Description
The vulnerability exploits flaws in the file upload logic of Apache Struts, enabling attackers to:
- Path Traversal: Upload files to arbitrary locations on the server, bypassing security restrictions.
- Remote Code Execution (RCE): Execute malicious code, such as
.jsp
scripts or binary payloads, to compromise the server entirely.
Affected Versions
- Apache Struts 2.0.0 to 2.5.33
- Apache Struts 6.0.0 to 6.3.0.2
Fixed Versions
- Apache Struts 6.4.0 and Later
The Apache Struts team has resolved the vulnerability in version 6.4.0 and introduced a…