Threat actors are attempting to exploit a recently disclosed high-risk vulnerability in the widely used open-source web application framework Apache Struts.
The flaw, tracked as CVE-2024-53677, allows attackers to upload arbitrary payloads to affected systems, enabling remote code execution (RCE). If successfully exploited, the flaw could be used to execute malicious commands, exfiltrate sensitive data, or deploy additional malware for follow-on attacks.
CVE-2024-53677 bears similarities to another critical issue, CVE-2023-50164, which was patched in December 2023. The latter vulnerability was exploited in the wild shortly after disclosure. Researchers believe an incomplete fix for CVE-2023-50164 may have contributed to the emergence of the new flaw.
The vulnerability impacts Struts 2.0.0 - Struts 2.3.37 (End-of-Life); Struts 2.5.0 - Struts 2.5.33; Struts 6.0.0 - Struts 6.3.0.2. Project maintainers have addressed the issue in Struts 6.4.0 and later, urging all users to update immediately to mitigate the risk.
Researchers at the SANS Technology Institute said they detected exploitation attempts against CVE-2024-53677 resembling the original proof-of-concept (PoC). Attackers are using simple scripts to identify vulnerable instances. Currently, the scans are originating from a single IP address.
Initial scans targeted endpoints like / and /cbs, potentially linked to other upload vulnerabilities. Once a vulnerable system is identified, attackers upload a simple script designed to confirm the presence of Apache Struts by returning the framework's name. This reconnaissance step is then followed by more sophisticated attempts to execute arbitrary code.