CVE-2025-68493
Published: 11 January 2026
Summary
CVE-2025-68493 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Struts. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68493 is a missing XML validation vulnerability, classified under CWE-611 (XML External Entity Injection), affecting Apache Struts. The issue impacts versions from 2.0.0 before 2.2.1, as well as versions from 2.2.1 through 6.1.0. Published on 2026-01-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating high severity due to its potential for remote exploitation with significant confidentiality and availability impacts.
Attackers can exploit this vulnerability remotely over the network without authentication privileges, though it requires user interaction, such as tricking a user into processing a malicious input. Successful exploitation enables high confidentiality loss, allowing disclosure of sensitive data, and high availability disruption, potentially leading to denial-of-service conditions, while integrity remains unaffected.
Apache advisories recommend upgrading to version 6.1.1, which resolves the issue. Additional details are available in the Apache Struts security bulletin at https://cwiki.apache.org/confluence/display/WW/S2-069 and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/01/11/2.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1898
Vulnerability details
Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in public-facing Apache Struts directly enables remote exploitation of the app (T1190) and local file/data disclosure (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of affected Apache Struts versions to 6.1.1 as recommended in the advisory.
Requires validation of XML inputs to block malicious external entity references exploited in this XXE injection vulnerability.
Mandates secure configuration of XML parsers in Apache Struts to disable external entity processing, addressing the missing validation flaw.