Cyber Posture

CVE-2025-68493

High

Published: 11 January 2026

Published
11 January 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0003 7.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68493 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Struts. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely patching of affected Apache Struts versions to 6.1.1 as recommended in the advisory.

SI-10 Information Input Validation good match
prevent

Requires validation of XML inputs to block malicious external entity references exploited in this XXE injection vulnerability.

CM-6 Configuration Settings good match
prevent

Mandates secure configuration of XML parsers in Apache Struts to disable external entity processing, addressing the missing validation flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

XXE in public-facing Apache Struts directly enables remote exploitation of the app (T1190) and local file/data disclosure (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Deeper analysisAI

CVE-2025-68493 is a missing XML validation vulnerability, classified under CWE-611 (XML External Entity Injection), affecting Apache Struts. The issue impacts versions from 2.0.0 before 2.2.1, as well as versions from 2.2.1 through 6.1.0. Published on 2026-01-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating high severity due to its potential for remote exploitation with significant confidentiality and availability impacts.

Attackers can exploit this vulnerability remotely over the network without authentication privileges, though it requires user interaction, such as tricking a user into processing a malicious input. Successful exploitation enables high confidentiality loss, allowing disclosure of sensitive data, and high availability disruption, potentially leading to denial-of-service conditions, while integrity remains unaffected.

Apache advisories recommend upgrading to version 6.1.1, which resolves the issue. Additional details are available in the Apache Struts security bulletin at https://cwiki.apache.org/confluence/display/WW/S2-069 and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/01/11/2.

Details

CWE(s)
CWE-611

Affected Products

apache
struts
2.0.0 — 2.3.37 · 2.5.0 — 2.5.33 · 6.0.0 — 6.1.1

CVEs Like This One

CVE-2025-66675Same product: Apache Struts
CVE-2025-23195Same vendor: Apache
CVE-2025-66516Same vendor: Apache
CVE-2026-24308Same vendor: Apache
CVE-2025-27553Same vendor: Apache
CVE-2025-50151Same vendor: Apache
CVE-2025-29847Same vendor: Apache
CVE-2025-66518Same vendor: Apache
CVE-2026-40682Same vendor: Apache
CVE-2026-24735Same vendor: Apache

References