Cyber Resilience

CVE-2024-53677

Critical

Published: 11 December 2024

Published
11 December 2024
Modified
15 July 2025
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red
EPSS Score 0.9319 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53677 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Apache Struts. Its CVSS base score is 9.5 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Struts contains a flaw in its legacy file upload logic that permits an attacker to manipulate upload parameters and perform path traversal. The issue affects all versions from 2.0.0 through 6.3.x and is tracked as CVE-2024-53677 with a CVSS score of 9.5; it is triggered when applications continue to rely on the deprecated FileUploadInterceptor rather than the newer upload mechanism.

An unauthenticated remote attacker can supply crafted file-upload parameters to write a malicious file to an arbitrary location on the server. Under certain deployment conditions this file can subsequently be executed, resulting in remote code execution on the affected Struts instance.

The Apache Security Team recommends immediate upgrade to Struts 6.4.0 or later together with migration to the new file-upload implementation documented at https://struts.apache.org/core-developers/file-upload. Applications that do not use the old FileUploadInterceptor are unaffected. Additional details are available in the S2-067 advisory at https://cwiki.apache.org/confluence/display/WW/S2-067, and NetApp has published a corresponding advisory.

The CVE carries an EPSS score of 0.93, indicating a high likelihood of exploitation in the wild.

EU & UK References

Vulnerability details

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.…

more

This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.0.0 — 6.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References