Skip to the main content.

1 min read

CVE-2023-50164: Apache Struts Unauthenticated File Upload Remote Code Execution

CVE-2023-50164: Apache Struts Unauthenticated File Upload Remote Code Execution

On December 7, Apache released a patch for their open-source Model-View-Controller (MVC) framework, Apache Struts.

This patch is to address a new critical unauthenticated file upload vulnerability that can lead to remote code execution (RCE), assigned to CVE-2023-50164.

Proof of exploit code is publicly available and evidence of active exploitation was observed on December 13.

Affected Versions

  • Apache Struts 2.0.0 through 2.5.32
  • Apache Struts 6.0.0 through 6.3.0.1

Many 3rd party vendors leverage the Apache Struts framework in their products.  Cisco released an advisory detailing which of their products are affected by the vulnerability, which can be found here.

Mitigations

Update vulnerable versions to the fixed version:

  • Apache Struts 2.5.33
  • Apache Struts 6.3.0.2

Recommended Actions

If you have any web-facing sites or applications, please check with your vendor if they leverage Apache Struts, and apply the appropriate patch.  All vulnerable Apache Struts instances should be patched immediately.

Additional Resources


DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.

Cyber Threat Intelligence Briefing - February 26, 2024

6 min read

Cyber Threat Intelligence Briefing - February 26, 2024

This week, we continue to cover the ConnectWise ScreenConnect vulnerabilities and United Healthcare Optum Breach and include a vulnerability roundup.

Read More
Two ConnectWise ScreenConnect Critical RCE Vulnerabilities

2 min read

Two ConnectWise ScreenConnect Critical RCE Vulnerabilities

ConnectWise recently released a security bulletin disclosing two new vulnerabilities in their ScreenConnect platform.

Read More
CVE-2024-21413: Microsoft Outlook Critical RCE

2 min read

CVE-2024-21413: Microsoft Outlook Critical RCE

As part of this month's Patch Tuesday, Microsoft released a fix for a critical vulnerability affecting multiple Outlook versions.

Read More