A newly discovered critical vulnerability, CVE-2024-53677, in Apache Struts enables remote code execution (RCE) and is actively exploited in the wild using a publicly available Proof-of-Concept (PoC). Apache Struts is an open-source framework for building Java-based web applications. It helps developers create scalable software solutions, that powers everything from e-commerce websites to financial systems and government platforms.

This vulnerability arises from improper handling of file uploads, allowing attackers to exploit path traversal and upload unauthorized files. The flaw impacts Apache Struts versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2. It poses significant risks to organizations reliant on the deprecated File Upload Interceptor, enabling attackers to execute commands, exfiltrate data, and deploy follow-up attacks (BleepingComputer, 2024; The Hacker News, 2024).

Technical Details

• Vulnerability Type: CWE-434 (Unrestricted File Upload)
• CVSS Score: 9.5 (Critical)
• Affected Versions:
  • Apache Struts: 2.0.0–2.3.37, 2.5.0–2.5.33, and 6.0.0–6.3.0.2.

Exploitation Process

1. Exploitation:
   • Threat actors manipulate file upload parameters to exploit path traversal vulnerabilities.
   • Malicious files, including web shells, are uploaded into restricted directories, enabling arbitrary command execution (Cybersecurity News, 2024).
2. Post-Exploitation:
   • Execution of arbitrary commands (e.g., Java payloads or encoded PowerShell scripts).
   • Deployment of additional tools for persistence and lateral movement.
3. Enumeration:
   • Attackers validate exploitation by accessing uploaded scripts (e.g., exploit.jsp outputting “Apache Struts”).
   • Initial scans detected from IP address 169.150.226[.]162 (The Register, 2024).

Indicators of Compromise (IoCs)

Suspicious Files:

• Uploaded web shells such as exploit.jsp.

IP Addresses:

• 169.150.226[.]162: Detected as the origin of initial exploit scans (The Hacker News, 2024).

Malicious Behavior:

• Path traversal exploitation targeting file upload mechanisms.
• Execution of unauthorized commands, such as PowerShell and Java payloads.

Mitigation Steps

1. Patch Immediately:
   • Upgrade Apache Struts to version 6.4.0 or later (Apache Security Bulletin, 2024).
   • Replace deprecated File Upload Interceptor components with the new Action File Upload Interceptor.
2. Review and Update Code:
   • Implement necessary code updates to support backward-incompatible changes.
3. Analyze Logs and Directories:
   • Investigate logs for evidence of unauthorized file uploads or suspicious activity targeting uploaded scripts (VPNRanks, 2024).
4. Strengthen Network Security:
   • Block unauthorized external traffic and isolate vulnerable systems from the public internet.
5. Threat Hunting:
   • Search for IoCs, including uploaded web shells and unauthorized file uploads.
6. Monitor Systems:
   • Deploy Endpoint Detection and Response (EDR) solutions to detect suspicious behaviors and prevent file upload exploitation.

Vendor Response

Apache has released patches for CVE-2024-53677, urging organizations to upgrade to version 6.4.0 or later. The new version introduces the Action File Upload Interceptor, providing enhanced security against file upload attacks (Apache Security Bulletin, 2024).

Why It Matters

Apache Struts underpins critical systems across industries, including government, finance, and telecommunications. Exploitation of vulnerabilities like CVE-2024-53677 recalls incidents like the Equifax breach, demonstrating the potentially catastrophic consequences of delayed mitigation (BleepingComputer, 2024).

The active exploitation of CVE-2024-53677 demands immediate attention. Organizations must prioritize patching, adopt secure mechanisms, and actively monitor systems to minimize risks. Delayed action increases the potential for full system compromise and secondary attacks.

Centripetal’s CleanINTERNET® service provides a proactive, intelligence-driven defense against vulnerabilities like CVE-2024-53677, which enables remote code execution through improper file upload handling in Apache Struts. Leveraging billions of threat indicators, CleanINTERNET dynamically blocks malicious traffic using real-time global threat feeds and augmented human analysis, proactively protecting organizations from exploitation attempts involving known IoCs. This approach ensures reduced attack surface, enhanced security operations, and uninterrupted business continuity, enabling organizations to adopt a proactive and adaptive cybersecurity strategy against evolving threats.

If you are a current user of Apache Struts please contact support@centripetal.ai.

Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources

• https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/
• https://thehackernews.com/2024/12/patch-alert-critical-apache-struts-flaw.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-53677#VulnChangeHistorySection
• https://www.vpnranks.com/uk/news/critical-apache-struts-flaw-remote-code-execution-looms/
• https://www.theregister.com/2024/12/17/critical_rce_apache_struts/