Hackers are attempting to leverage a recently fixed critical vulnerability in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.
It appears that threat actors have just started, according to the Shadowserver scanning platform, whose researchers observed a small number of IP addresses engaged in exploitation attempts.
Apache Struts is an open-source web application framework designed to streamline the development of Java EE web apps, offering a form-based interface and extensive integration capabilities.
The product is used extensively across various industries in both the private and public sectors, including government organizations, for its efficiency in building scalable, reliable, and easily maintainable web applications.
On December 7, Apache released Struts versions 6.3.0.2 and 2.5.33 to address a critical severity vulnerability currently identified as CVE-2023-50164.
The security issue is a path traversal flaw that can be exploited if certain conditions are met.
It can allow an attacker to upload malicious files and achieve remote code execution on the target server.
A threat actor exploiting such a vulnerability could modify sensitive files, steal data, disrupt critical services, or move laterally on the network.
This could lead to unauthorized access to web servers, manipulation or theft of sensitive data, disruption of critical services, and lateral movement in breached networks.
The RCE vulnerability affects Struts versions 2.0.0 through 2.3.37, Struts 2.5.0 through 2.5.32, and Struts 6.0.0 up to 6.3.0.
On December 10, a security researcher published a technical write-up for CVE-2023-50164, explaining how a threat actor could contaminate file upload parameters in attacks.
A second write-up, which includes exploit code for the flaw, was published yesterday.
In a security advisory yesterday, Cisco says that it is investigating CVE-2023-50164 to determine which of its products with Apache Struts may be affected and to what extent.
A full list of potentially impacted products can is available in Cisco's security bulletin, which is expected to be updated with fresh information.
Sophos backports RCE fix after attacks on unsupported firewalls.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks.
WordPress fixes POP chain exposing websites to RCE attacks.
Atlassian patches critical RCE flaws across multiple products.
December Android updates fix critical zero-click RCE flaw.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 13 Dec 2023 16:20:08 +0000