Security News > 2023 > December > New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)
The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution.
The vulnerability affects Apache Struts versions 2.0.0 through 2.5.32 and 6.0.0 through 6.3.0.1, and has been fixed in Apache Struts versions 2.5.33 and 6.3.0.2.
"All developers are strongly advised to perform this upgrade," the Apache Struts project urges.
Vulns in Apache Struts 2 are often leveraged by attackers.
Apache Struts 2 is a modern open-source Java framework for building enterprise-ready web applications.
The 2017 compromise of Equifax's US website and the subsequent massive data breach was the result of an Apache Struts 2 flaw (and lax patching practicesoften exploited by attackers.
News URL
https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/
Related news
- Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) (source)
- Max severity RCE flaw discovered in widely used Apache Parquet (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- PoC exploit for SysAid pre-auth RCE released, upgrade quickly! (source)