Attackers are trying to exploit Apache Struts vulnerability (CVE-2023-50164)

Attackers are trying to leverage public proof-of-exploit (PoC) exploit code for CVE-2023-50164, the recently patched path traversal vulnerability in Apache Struts 2.

“Attackers aim to deploy webshells, with some cases targeting the parameter ‘fileFileName’ – a deviation from the original exploit PoC,” Akamai’s Security Intelligence Group flagged on Wednesday.

The Shadowserver Foundation has also started noticing exploitation attempts in their sensors, though they don’t see them succeeding.

About the vulnerability

CVE-2023-50164, reported by Steven Seeley of Source Incite, enables path traversal by manipulating of file upload parameters and, in some cases, may allow attackers to upload malicious files that can be used to achieve remote code execution.

The vulnerability affects Apache Struts versions:

• 2.0.0 through 2.5.32
• 6.0.0 through 6.3.0.1
• 2.0.0 through 2.3.37 (which are no longer supported)

It has been fixed in Apache Struts versions 2.5.33 and 6.3.0.2, and Struts 2 developers and users have been urged to upgrade as soon as possible – there are no workarounds.

PoC exploit code for CVE-2023-50164 is public

An analysis and reproduction of the bug has been published on December 12 and the author noted that “this vulnerability requires different POCs to be produced according to different scenarios, because if strict interception and inspection are carried out at the file upload point, it will be difficult to bypass.”

Matthew Remacle, a detection engineer at GreyNoise, published an analysis of that analysis.

He pointed out that Apache Struts comes embedded in various enterprise grade applications, and noted that “while [the researchers have] proven that you can drop an arbitrary shell.jsp or webshell to an Apache Struts2 to web application (…) the dropped shell.jsp file must be in a valid route that can be remotely reached by an attacker in order to be triggered. And this will vary from web application to web application.”

“I’m very interested to see what’s going to happen in the coming weeks, and there will be several different variations depending on vendor product and how it is implemented on the server side, depending on the business use logic,” he concluded.

A PoC exploit script has been released on December 13 by vulnerability researcher Ákos Jakab, but it works only when the target web app is deployed to Apache Tomcat.

UPDATE (December 18, 2023, 04:20 a.m. ET):

F5 Networks says that none of its products are affected by CVE-2023-50164.

Cisco is still investigating which of its products are affected, but has confirmed that Identity Services Engine (ISE) and Unified SIP Proxy Software (no longer supported) are.

The Canadian Centre for Cyber Security has offered several recommendations and outlined how to find Struts files and archives on Linux and Windows systems.