The NCSC would like to draw your attention to CVE-2023-50164 affecting Apache Struts 2(external link), which has a CVSS of 9.8. The NCSC is aware of public reporting of active exploitation and a proof of concept.
This is a path traversal vulnerability that can be exploited if certain conditions are met. It can allow an attacker to upload malicious files and achieve remote code execution (RCE) on the target server. Vulnerabilities affecting Struts 2 have had significant impact due to the wide adoption of the framework across various web applications used in industry. Therefore, there is an elevated risk that this vulnerability will be exploited by malicious actors.
The NCSC encourages organisations in New Zealand that use the affected products to review the vendor announcement(external link) and apply patches as soon as possible. The NCSC encourages organisations to undertake due diligence to identify whether the Struts 2 framework is used in your environment by searching for the associated .jar files.
If your organisation has seen or does see evidence of compromise related to CVE-2023-50164, please contact ncscincidents@ncsc.govt.nz.
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.
For more NCSC NZ updates, follow(external link) us on LinkedIn.