Apache Struts 2 Vulnerability

Published on 17-Dec-2024
Updated:
18-Feb-2025
Status:
 
Active
CVEs:
CVE-2024-53677

Fortra is actively researching a vulnerability affecting Apache Struts 2 – CVE-2024-53677. By exploiting this vulnerability, a malicious actor can manipulate file upload parameters to enable paths traversal. Under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution. Software patches have been released to address this vulnerability, and customers should upgrade as soon as possible.

Who is affected?

The following versions of Apache Struts are affected by this vulnerability:

  • 2.0.0 to 2.3.37 (End of Life)
  • 2.5.0 to 2.5.33
  • 6.0.0 to 6.3.0.2

Note that only applications that use FileUploadInterceptor are vulnerable.

What can I do?

Customers are recommended to upgrade at least to Struts 6.4.0 (or the latest version) and migrate to the new file upload mechanism.

For more information, refer to this security bulletin.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

Alert Logic Network IDS: Alert Logic released IDS telemetry signatures to aid in detection research. Additionally, existing signatures can detect exploit attempts. 

Alert Logic Vulnerability Scanning: Alert Logic released authenticated and agent-based scan detection for this vulnerability on December 23, 2024, followed by unauthenticated scan detection on December 26, 2024.

Fortra VM: Fortra VM Network Scanner version 4.59.0, released on February 14, 2025, contains new remote checks for CVE-2024-53677: Apache Struts2 FileUploadInterceptor Vulnerability (161822).

Tripwire IP360: Tripwire released scan coverage on December 19, 2024, to identify vulnerable instances. If the vulnerability is found, Tripwire vulnerability 688237 will match for CVE-2024-53677.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

12/17/2024: Alert Logic released IDS telemetry signatures to aid in detection research. 

12/19/2024: Tripwire released scan coverage to identify vulnerable instances. 

12/23/2024: Alert Logic released authenticated and agent-based scan detection.

12/26/2024: Alert Logic released unauthenticated scan detection.

2/14/2025: Fortra VM released a network scanner update with remote checks to identify vulnerable instances.

Recent Emerging Threats
:
Multiple Vulnerabilities Impacting VMware ESXi, Workstation, and Fusion Updates
:
Multiple Vulnerabilities Impacting rsync
:
FortiOS & FortiProxy: Authentication Bypass in Node.js Websocket Module
:
Ivanti Unauthenticated Remote Code Execution
:
PAN-OS Firewall Denial of Service Vulnerability
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.