New critical vulnerability exposes Apache Struts instances to remote attacks

Update your Apache Struts instances now.

A critical remote code execution vulnerability in Apache Struts, a popular open source web application software framework, allows hackers to take over targeted machines in attacks.

The vulnerability (CVE-2018-11776) impacts the software, which is used by an estimated 65 percent of Fortune 100 companies and growing.

Tuesday’s vulnerability is credited to insufficient validation of untrusted user data in the core of Struts. The announcement provoked a worried response from information security experts:


The new Struts vulnerability was identified in April by Man Yue Mo from the Semmle Security Research Team. It was patched in June and publicly announced on Tuesday. Apache Struts users are urged to patch immediately.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” said Pavel Avgustinov, a co-founder at Semmle.

“A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

An Apache Struts vulnerability was famously a key reason for the 2017 Equifax breach leading to the theft of data of 148 million people and potentially cost upwards of $600 million, according to the company.

Soon after the public announcement of the vulnerability used against Equifax, hackers attempted to use the vulnerability more widely including against U.S. government targets like the Pentagon.


“The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), said earlier this year.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts