Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source framework for developing Java web applications.

The vulnerability, assigned the identifier CVE-2024-53677, has a critical CVSS score of 9.5, indicating its potential for severe impact if left unaddressed.

Background on the Vulnerability

Apache Struts2 announced the vulnerability last week, highlighting its path-traversal nature.

This flaw allows attackers to upload files into directories that should be restricted, potentially leading to remote code execution.

If hackers successfully upload a webshell into the web root, they could gain unauthorized control over the affected system.

The vulnerability seems to have ties to a previous issue, CVE-2023-50164, which was inadequately addressed, leading to the present threat.

Despite Apache’s efforts, patching this vulnerability is not straightforward. According to Apache, users must transition to a new Action File Upload mechanism and interceptor to mitigate the risk, as the old mechanism leaves systems exposed.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

Exploit Attempts

Proof-of-concept (PoC) exploits for CVE-2024-53677 have been released publicly, with several attempts now actively targeting vulnerable systems.

These attempts closely mimic the PoC exploit code, aiming to identify systems susceptible to attack.

One observed exploit attempt involves the use of HTTP POST requests to upload a crafted script file, “exploit.jsp,” which contains a simple script intended to verify the presence of Apache Struts.

If successful, attackers can then seek out the uploaded script using HTTP GET requests to execute malicious activities remotely.

Exploit Code Example:

POST /actionFileUpload HTTP/1.1
Host: [honeypot IP address]:8090
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate, zstd
Accept: */*
Connection: keep-alive
Content-Length: 222
Content-Type: multipart/form-data; boundary=0abcfc26e3fa0afbd6db1ba369dfcc37
--0abcfc26e3fa0afbd6db1ba369dfcc37
Content-Disposition: form-data; name="file"; filename="exploit.jsp"
Content-Type: application/octet-stream
<% out.println("Apache Struts"); %>
--0abcfc26e3fa0afbd6db1ba369dfcc37--

According to the ISC reports, current exploit attempts have been traced back to IP address 169.150.226.162, which has been actively scanning for vulnerable systems. The attacker initially targeted simple URLs, likely probing for other upload vulnerabilities.

Given the severity of this vulnerability, organizations using Apache Struts2 must update their systems promptly.

Transitioning to the recommended Action File Upload mechanism is crucial. Additionally, monitoring network traffic for unusual or unauthorized activities can help identify and mitigate potential threats.

Organizations should remain vigilant, as the landscape of cybersecurity threats continues to evolve. Immediate action and continuous security reviews are essential to protect against exploitation and ensure the integrity of web applications.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free