Critical Apache Struts 2 Vulnerability Allow Attackers to Steal Sensitive Data

A critical XML external entity (XXE) injection vulnerability has been discovered in Apache Struts 2, potentially exposing millions of applications to data theft and server compromise.

The vulnerability, tracked as CVE-2025-68493, affects multiple versions of the widely used framework and requires immediate action from developers and system administrators.

Vulnerability Overview

The security flaw exists in the XWork component of Apache Struts 2, which handles XML configuration parsing.

The component fails to properly validate XML input, leaving applications vulnerable to XXE injection attacks.

CVE ID	Vulnerability Type	Affected Component	Affected Versions
CVE-2025-68493	XML External Entity (XXE) Injection	XWork Component	Struts 2.0.0–2.3.37,2.5.0–2.5.33,6.0.0–6.1.0

Threat actors can exploit this weakness to access sensitive information stored on affected servers or launch denial-of-service attacks.

Security researchers at ZAST.AI identified the vulnerability and reported it to the Apache Struts team.

The vulnerability received an “Important” security rating due to its potential impact on data confidentiality and system availability.

The vulnerability impacts a broad range of Struts 2 versions currently in use across organizations worldwide:

Affected Version Range	Status
Struts 2.0.0 – 2.3.37	End-of-Life
Struts 2.5.0 – 2.5.33	End-of-Life
Struts 6.0.0 – 6.1.0	Active Support

Organizations running any of these versions should prioritize security updates immediately.

Successful exploitation of CVE-2025-68493 could result in:

Impact Type	Description
Data Disclosure	Attackers can extract sensitive configuration files, database credentials, and application secrets
Server-Side Request Forgery (SSRF)	Internal network resources and systems can be compromised
Denial of Service (DoS)	Application availability can be disrupted using malicious XML payloads

Apache has released Struts 6.1.1 as the fixed version. Organizations should upgrade to this release immediately.

The patch maintains backward compatibility, ensuring smooth deployment without breaking existing applications.

Organizations unable to upgrade immediately can implement temporary workarounds:

Mitigation Approach	Description
Custom SAXParserFactory	Configure a custom SAXParserFactory by setting xwork.saxParserFactory to a factory class that disables external entities
JVM-Level Configuration	Disable external entities globally using JVM system properties:-Djavax.xml.accessExternalDTD=""-Djavax.xml.accessExternalSchema=""-Djavax.xml.accessExternalStylesheet=""

These workarounds provide temporary protection while organizations plan upgrade timelines. CVE-2025-68493 represents a serious threat to Struts 2 deployments worldwide.

Immediate patching should be the top priority for security teams, followed by verifying that workarounds are in place for systems that cannot be upgraded immediately.

Organizations should review their Struts 2 inventory and develop an expedited patching schedule to eliminate exposure to this critical vulnerability.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Apache Struts 2 Vulnerability Allow Attackers to Steal Sensitive Data appeared first on Cyber Security News.