Critical Apache Struts 2 Vulnerability Exposes Systems to XXE and SSRF Attacks

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

Security researchers at ZAST.AI reported a critical Apache Struts 2 vulnerability that exposes systems to XXE and SSRF attacks following the disclosure of CVE‑2025‑68493, an XML External Entity (XXE) injection flaw in the Apache Struts 2 XWork component. The flaw allows attackers to send crafted XML payloads that bypass validation and trigger external entity expansion, enabling sensitive file access, server‑side request forgery (SSRF), and possible data exfiltration or service disruption on affected servers. The vulnerability impacts a broad range of Struts 2 versions, including both end‑of‑life and currently supported releases, underscoring the widespread risk to Java web applications that parse untrusted XML configurations. 

Who is affected

Organizations using Apache Struts 2 in production web applications – especially those exposed to public traffic or handling untrusted XML – are directly affected, with potential data and system integrity exposure.

Why CISOs should care

XXE and SSRF attacks can extract sensitive information, pivot into internal networks, and disrupt critical services, posing strategic and compliance risks. Legacy software components remain a persistent source of enterprise exposure.

3 practical actions

  • Patch Struts 2 components: Apply vendor updates to the latest secure releases immediately.
  • Harden XML parsing: Disable external entity resolution and enforce strict input validation in configuration handling.
  • Inventory and monitor: Maintain an up‑to‑date asset inventory and watch for suspicious access to XML endpoints.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.