What happened
Security researchers at ZAST.AI reported a critical Apache Struts 2 vulnerability that exposes systems to XXE and SSRF attacks following the disclosure of CVE‑2025‑68493, an XML External Entity (XXE) injection flaw in the Apache Struts 2 XWork component. The flaw allows attackers to send crafted XML payloads that bypass validation and trigger external entity expansion, enabling sensitive file access, server‑side request forgery (SSRF), and possible data exfiltration or service disruption on affected servers. The vulnerability impacts a broad range of Struts 2 versions, including both end‑of‑life and currently supported releases, underscoring the widespread risk to Java web applications that parse untrusted XML configurations.Â
Who is affected
Organizations using Apache Struts 2 in production web applications – especially those exposed to public traffic or handling untrusted XML – are directly affected, with potential data and system integrity exposure.
Why CISOs should care
XXE and SSRF attacks can extract sensitive information, pivot into internal networks, and disrupt critical services, posing strategic and compliance risks. Legacy software components remain a persistent source of enterprise exposure.
3 practical actions
- Patch Struts 2 components: Apply vendor updates to the latest secure releases immediately.
- Harden XML parsing: Disable external entity resolution and enforce strict input validation in configuration handling.
- Inventory and monitor: Maintain an up‑to‑date asset inventory and watch for suspicious access to XML endpoints.