Cyber Resilience

CVE-2025-68493

High

Published: 11 January 2026

Published
11 January 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.2248 97.4th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2025-68493 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Struts. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-68493 is a missing XML validation vulnerability, classified under CWE-611 (XML External Entity Injection), affecting Apache Struts. The issue impacts versions from 2.0.0 before 2.2.1, as well as versions from 2.2.1 through 6.1.0. Published on 2026-01-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating high severity due to its potential for remote exploitation with significant confidentiality and availability impacts.

Attackers can exploit this vulnerability remotely over the network without authentication privileges, though it requires user interaction, such as tricking a user into processing a malicious input. Successful exploitation enables high confidentiality loss, allowing disclosure of sensitive data, and high availability disruption, potentially leading to denial-of-service conditions, while integrity remains unaffected.

Apache advisories recommend upgrading to version 6.1.1, which resolves the issue. Additional details are available in the Apache Struts security bulletin at https://cwiki.apache.org/confluence/display/WW/S2-069 and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/01/11/2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in public-facing Apache Struts directly enables remote exploitation of the app (T1190) and local file/data disclosure (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66675Same product: Apache Struts
CVE-2025-23195Same vendor: Apache
CVE-2025-66516Same vendor: Apache
CVE-2026-40682Same vendor: Apache
CVE-2025-29847Same vendor: Apache
CVE-2025-50151Same vendor: Apache
CVE-2025-27553Same vendor: Apache
CVE-2026-24308Same vendor: Apache
CVE-2026-24735Same vendor: Apache
CVE-2025-66518Same vendor: Apache

Affected Assets

apache
struts
2.0.0 — 2.3.37 · 2.5.0 — 2.5.33 · 6.0.0 — 6.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of affected Apache Struts versions to 6.1.1 as recommended in the advisory.

prevent

Requires validation of XML inputs to block malicious external entity references exploited in this XXE injection vulnerability.

prevent

Mandates secure configuration of XML parsers in Apache Struts to disable external entity processing, addressing the missing validation flaw.

References