Critical Apache Struts Vulnerability CVE-2024-53677 Exploited in Active Attacks

A critical vulnerability in Apache Struts 2, identified as CVE-2024-53677, poses a severe threat due to its potential to enable remote code execution (RCE). This flaw, which affects Struts versions 2.0.0 through 2.3.37, 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2, is rooted in the framework's file upload logic. By exploiting this vulnerability, attackers can manipulate file upload parameters to achieve path traversal and upload malicious files, such as web shells, into restricted directories. If successful, this allows attackers to execute commands remotely, deploy additional payloads, and compromise sensitive data.

Apache's security bulletin recommends upgrading to Struts 6.4.0 or later and adopting the new Action File Upload mechanism. However, patching alone is insufficient due to a lack of backward compatibility. Organizations must rewrite their file upload handling code to implement the new mechanism, as continuing to use the outdated FileUploadInterceptor leaves systems vulnerable. As Apache's warns, "Keep using the old File Upload mechanism keeps you vulnerable to this attack." In response to the active exploitation, national cybersecurity agencies in Canada, Australia, and Belgium have issued public alerts urging prompt action. Given the potential for significant disruptions and data breaches, organizations using affected versions of Struts must act swiftly to secure their systems.

According to Johannes Ullrich from ISC SANS, exploit attempts leveraging public proof-of-concept (PoC) code are already underway. Ullrich noted, "We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems." Attackers have been observed uploading a file named "exploit.jsp" containing a simple script designed to return the string "Apache Struts". This method allows attackers to verify if the target system is vulnerable and whether their upload was successful. These enumeration activities highlight the urgency for affected organizations to address this vulnerability immediately, as exploitation attempts are likely to escalate.