Cyber Resilience

CVE-2017-5638

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 11 March 2017

Published
11 March 2017
Modified
21 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9427 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-5638 is a critical-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Hp Server Automation. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2017-5638 resides in the Jakarta Multipart parser component of Apache Struts 2 versions 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1. It arises from improper exception handling and error-message generation when processing file-upload requests, tracked as CWE-755, and carries a CVSS 3.1 base score of 9.8.

Unauthenticated remote attackers can exploit the flaw over the network by supplying a crafted Content-Type, Content-Disposition, or Content-Length HTTP header during a file-upload attempt, resulting in arbitrary command execution on the server with no user interaction required.

The issue was exploited in the wild in March 2017, including attacks that embedded a #cmd= string inside the Content-Type header. Multiple vendor advisories and security analyses reference the same attack pattern and affected Struts versions.

EU & UK References

Vulnerability details

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length…

more

HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.2.3 — 2.3.32 · 2.5.0 — 2.5.10.1
ibm
storwize v3500 firmware
7.7.1.6, 7.8.1.0
ibm
storwize v5000 firmware
7.7.1.6, 7.8.1.0
ibm
storwize v7000 firmware
7.7.1.6, 7.8.1.0
lenovo
storage v5030 firmware
7.7.1.6, 7.8.1.0
hp
server automation
10.0.0, 10.1.0, 10.2.0, 10.5.0, 9.1.0
oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0
arubanetworks
clearpass policy manager
≤ 6.6.5
netapp
oncommand balance
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of security patches to eliminate the known Struts Jakarta Multipart parser flaw before exploitation.

prevent

Mandates validation of untrusted HTTP header inputs (Content-Type, Content-Disposition, Content-Length) that are used as the injection vector for command execution.

prevent

Requires proper exception handling so that malformed upload headers do not trigger the error-message generation path that yields arbitrary command execution.

References