A new vulnerability in the Struts 2 web application framework can potentially enable a remote attacker to execute code on systems running apps based on earlier versions of the software.\n\nThe vulnerability, announced this week by Apache, involves a potential attacker manipulating file upload parameters in what is referred to as a path traversal attack. Path traversal is a broad term, according to Akamai senior security researcher Sam Tinklenberg.\n\n\u201cIn this case, the use of path traversals allows an attacker to upload a malicious file, most likely a webshell, outside of the normal upload directory,\u201d he said. \u201cThe exact location will differ from application to application and must be a valid path which can be accessed from the internet."\n\nThe flaw affects only older versions of the Struts 2 framework, and upgrading to versions 2.5.33, 6.3.0.2 or greater should eliminate the possibility of exploitation. It was first reported by researcher Steven Seeley.\n\nStruts\u2019 maintainers at the Apache Software Foundation urged users to patch immediately, saying that the update is \u201ca drop-in replacement, and upgrade should be straightforward.\u201d\n\nAdding urgency to the need to patch is the news that proof of concept code has been spotted in the wild. A post from the Shadowserver Foundation, a nonprofit security group that bills itself as a leading reporter and tracker of malicious internet activity, on X (formerly Twitter), said that PoC code has been seen on sensors.\n\nStruts 2 is a widely used framework for the development of enterprise web applications, and as such, it\u2019s a common target for cybercriminals, according to Tinklenberg. He noted, however, that there the PoC code being seen in the wild is mostly generic scanning, and doesn\u2019t currently represent an imminent threat.\n\n\u201cFor this exploit to be successful, the attack request needs to be tailored to the underlying web application,\u201d he said. \u201cIt is not likely, the path and parameter used in the POC [must] exist in a real-world deployment or have the required file upload functionality.\u201d\n\nVulnerabilities in the Struts 2 framework were at the root of the infamous Equifax breach in March 2017, which saw the personal information of hundreds of millions of people compromised and brought widespread criticism for Equifax. The company was forced to pay more than half a billion dollars in litigation settlements and fines.