Summary:

Apache disclosed a critical vulnerability (CVE-2023-50164) in the Apache Struts 2 open-source framework. Successful exploitation can allow an attacker to manipulate file upload parameters to enable path traversal and upload a malicious file. The first proof-of-concept (PoC) exploit code was widely distributed on December 11, and exploitation attempts were observed globally a day later.

Third-party reports indicate that attackers are attempting to deploy web shells, some of which deviate from the original PoC code. Some third-party analysis suggests that the vulnerability may be difficult to exploit at scale. Nonetheless, this is a critical vulnerability that impacted organizations should address as soon as possible.

Recommended actions:

Our Security Partner (Secureworks Counter Threat Unit researchers) recommend that customers review the vendor’s security bulletin and patch vulnerable Apache Struts versions as appropriate in their environments. There are no workarounds available.

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

References:

• S2-066 – Apache Struts 2 Wiki – Apache Software Foundation
• NVD – CVE-2023-50164 (nist.gov)
• Observed Exploitation Attempts of Struts 2 S2-066 Vulnerability (CVE-2023-50164) | Akamai