Recently disclosed critical-severity vulnerability CVE-2023-50164 in Apache Struts 2, rated at a CVSS score of 9.8, has been exploited by threat actors. The flaw involves file upload logic, allowing an attacker to perform path traversal and achieve remote code execution (RCE). By manipulating file upload parameters at the /upload.action endpoint, attackers can introduce an additional parameter in lowercase to override an internal file name variable. This could lead to system exploitation and the ability to upload malicious payloads. While various cybersecurity firms have observed exploitation attempts, they note the challenge in scaling the attack, unlike a previous Struts vulnerability exploited in the Equifax hack in 2017. Apache has released patches, urging all Struts users to update to secure versions.
Read more: https://www.securityweek.com/recent-apache-struts-2-vulnerability-in-attacker-crosshairs/