Hackers exploit critical Apache Struts RCE flaw (CVE-2024-53677) after PoC exploit release
Threat actors have begun exploiting a critical vulnerability in the Apache Struts framework, CVE-2024-53677, just days after a proof-of-concept (PoC) exploit was published online. Rated 9.5 on the CVSSv4 severity scale, this vulnerability allows remote attackers to execute arbitrary code by abusing flaws in the file upload logic.
CVE-2024-53677 affects a broad range of Apache Struts versions, including:
- 2.0.0 to 2.5.33
- 6.0.0 to 6.3.0.2
The issue stems from improper validation and handling of file upload parameters. This flaw enables attackers to achieve the following:
- Path Traversal: Upload files to unauthorized locations on the server, bypassing existing security controls.
- Remote Code Execution (RCE): Trigger malicious executable files, such as
.jsp
scripts or binary payloads, to gain full control over the server.
The Apache Software Foundation has addressed this vulnerability in version 6.4.0 and later. Organizations using deprecated file upload mechanisms are strongly urged to update and adopt the new secure logic introduced in this release, as older methods are incompatible with the fix.
According to Johannes B. Ullrich, Ph.D., Dean of Research at SANS.edu, active exploitation attempts have been detected in the wild. These attacks appear to closely follow the PoC exploit code [https://github.com/TAM-K592/CVE-2024-53677-S2-067], with attackers focusing on identifying and compromising vulnerable systems.
Example Exploit Sequence:
- Uploading a Malicious File:
This request uploads a malicious
.jsp
script designed to confirm successful exploitation. - Verifying the Uploaded File:
Attackers then attempt to locate and execute the uploaded script, which in this case outputs “Apache Struts” to indicate a successful compromise.
Security researchers have identified links between CVE-2024-53677 and a previously documented vulnerability, CVE-2023-50164. The incomplete patch for CVE-2023-50164 likely contributed to the emergence of this new flaw. Attackers leverage the similarities to refine their exploit techniques, with enhanced exploits already circulating in public repositories.
Exploit attempts currently originate from IP address 169.150.226.162, which began scanning for vulnerable endpoints yesterday. Initial reconnaissance focused on simple paths like “/” and “/cbs,” likely probing for other upload-related vulnerabilities. These activities underscore the urgency for organizations to act swiftly.