Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.
It appears that threat actors have just started, according to the Shadowserver scanning platform, whose researchers observed a small number of IP addresses engaged in exploitation attempts.
Apache Struts is an open-source web application framework designed to streamline the development of Java EE web apps, offering a form-based interface and extensive integration capabilities.
The product is used extensively across various industries in both the private and public sectors, including government organizations, for its efficiency in building scalable, reliable, and easily maintainable web applications.
The security issue is a path traversal flaw that can be exploited if certain conditions are met. It can allow an attacker to upload malicious files and achieve remote code execution (RCE) on the target server. A threat actor exploiting such a vulnerability could modify sensitive files, steal data, disrupt critical services, or move laterally on the network.
This could lead to unauthorized access to web servers, manipulation or theft of sensitive data, disruption of critical services, and lateral movement in breached networks.
The RCE vulnerability affects Struts versions 2.0.0 through 2.3.37 (end of life), Struts 2.5.0 through 2.5.32, and Struts 6.0.0 up to 6.3.0.
On December 10, a security researcher published a technical write-up for CVE-2023-50164, explaining how a threat actor could contaminate file upload parameters in attacks. A second write-up, which includes exploit code for the flaw, was published yesterday.
Cisco possibly impacted
In a security advisory yesterday, Cisco says that it is investigating CVE-2023-50164 to determine which of its products with Apache Struts may be affected and to what extent.
The set of Cisco products under analysis includes the Customer Collaboration Platform, Identity Services Engine (ISE), Nexus Dashboard Fabric Controller (NDFC), Unified Communications Manager (Unified CM), Unified Contact Center Enterprise (Unified CCE), and Prime Infrastructure.
A full list of potentially impacted products can is available in Cisco’s security bulletin, which is expected to be updated with fresh information.