Vulnerability in Apache Struts 2 (December 13, 2023)
On December 4, 2023, Apache published a security advisory regarding the critical vulnerability CVE-2023-50164 affecting the Struts 2 framework. This vulnerability allows an unauthenticated attacker to upload a backdoor to a vulnerable server, thus executing arbitrary code...
CSIRTS triage
- What
- The vulnerability allows an unauthenticated attacker to upload a backdoor to a vulnerable server, thus executing arbitrary code.
- Who is affected
- Deployments of Apache Struts 2 that are vulnerable.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerability.
- Action
- Apply the security patch provided by Apache.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Struts 2
Get an email when a new Struts 2 advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-013/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation likely imminentCVE-2023-50164EPSS puts this in the most-targeted tier (80.8% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2023-50164 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Apache Struts
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalexploitedCVE-2013-2251: Apache Struts Improper Input Validation Vulnerabilitycisa-kev · 2022-03-25
- criticalexploitedCVE-2017-9791: Apache Struts 1 Improper Input Validation Vulnerabilitycisa-kev · 2022-02-10
- criticalexploitedCVE-2012-0391: Apache Struts 2 Improper Input Validation Vulnerabilitycisa-kev · 2022-01-21
- criticalexploitedCVE-2006-1547: Apache Struts 1 ActionForm Denial-of-Service Vulnerabilitycisa-kev · 2022-01-21
- criticalexploitedCVE-2018-11776: Apache Struts Remote Code Execution Vulnerabilitycisa-kev · 2021-11-03
- criticalexploitedCVE-2017-9805: Apache Struts Deserialization of Untrusted Data Vulnerabilitycisa-kev · 2021-11-03
More from CERT-FR Alertes de sécurité
- unknown[Update] Vulnerability in Microsoft Exchange Server (May 15, 2026)2026-05-15
- unknownVulnerability in F5 BIG-IP Access Policy Manager (March 31, 2026)2026-03-31
- unknownAlert note – Targeting instant messaging accounts (March 20, 2026)2026-03-20
- unknown[Update] Vulnerability in Cisco Catalyst SD-WAN (February 25, 2026)2026-02-25
- unknown[Update] Multiple vulnerabilities in Ivanti Endpoint Manager Mobile (January 30, 2026)2026-01-30