Thursday, August 23, 2018

Apache Struts 2 Vulnerability & Exploit (CVE-2018-11776)

Yesterday a new vulnerability in certain versions of Apache Struts (2.3 - 2.3.34, 2.5 - 2.5.16)was discovered that leads to RCE. It requires both vulnerable versions as well as vulnerable configurations.

The gist of the issue is that if you have a vulnerable configuration that doesn't lend a namespace to struts, struts will take the user-specified namespace instead. Fortunately, it takes the namespace and evaluates it as a OGNL expression, allowing you to fairly easily get remote code execution.

Working PoC (I personally tested it myself and it works)

Technical deep dive on finding the vulnerability:

Vuln writeup by Semmle (including conditions for vulnerable configurations)

Apache's security bulletin for the vuln:

Mitre CVE link:

A couple caveats I found while testing:
  • It definitely requires a lack of namespace attribute in the classes xml
  • All that is required for successful exploitation is a single proper GET request
  • Doesn't work on all struts-showcase installs (2.3.15 wasn't working for some reason), making me think it may be a bit finicky
I modified the PoC listed above into a simple python function, making everything simpler:

Below is it being run against a vulnerable VM I set up


  1. Hi!

    First I would like to thank you for taking the time and sharing this PoC with the community. I am currently wondering if this PoC could be lightly modded in order to try it on any *.action page which runs on Apache Struts2.

    I've replaced the target for:
    target = sys.argv[1]

    And also the 'actionChain1.action' at the end of the payload for my 'index.action' page. No luck yet.


  2. Did you get it working on 2.3.x version. I tried on 2.3.34 without success.