Critical RCE Vulnerability in Apache Struts 2

Apache developers have recently released a critical vulnerability in the widely-used web framework Apache Struts 2. The vulnerability, identified as CVE-2023-50164, can potentially lead to remote code execution (RCE). The discovery of this vulnerability is credited to Baghaner Stephen Sili from Source Incite.

The CVE-2023-50164 vulnerability allows attackers to manipulate file download parameters, creating a pathway to download malicious files and execute code remotely. Additional details about this vulnerability have not yet been disclosed.

This vulnerability affects versions of Apache Struts ranging from 2.0.0 to 2.5.32 and from 6.0.0 to However, the issue has been addressed and fixed in versions 2.5.33 and

Web developers are strongly advised to update their systems to the latest versions to mitigate the risk posed by this vulnerability. The update process is quick and does not require any changes to the existing configuration.

Apache Struts 2 frameworks are frequently exploited by attackers for carrying out their malicious activities. This modern open-source Java framework is widely used for developing web applications in corporate environments. Its predecessor, Apache Struts 1, is no longer supported.

In 2017, a major security breach occurred on the Equifax website in the United States, resulting in the massive leakage of data. This breach was caused by a vulnerability in Apache Struts 2, coupled with inadequate measures taken to address the issue in a timely manner.

/Reports, release notes, official announcements.