The flaw, tracked as CVE-2025-68493 and rated as Important severity, could expose sensitive data and enable attackers to launch denial-of-service and server-side request forgery (SSRF) attacks if systems remain unpatched.
The vulnerability stems from improper validation of XML configuration parsing within the XWork component.
Because the component does not handle XML input securely, it is vulnerable to XML External Entity (XXE) injection attacks.
This critical weakness allows attackers to craft malicious XML payloads that trick the application into processing external entities, potentially reading local files, accessing internal network resources, exfiltrating sensitive data, and disrupting service availability.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-68493 |
| Vulnerability Type | XML External Entity (XXE) Injection in XWork Component |
| Impact | Disclosure of Data, Denial of Service (DoS), Server-Side Request Forgery (SSRF) |
| Affected Component | Apache Struts 2 XWork |
| Status | Disclosed and Exploitable |
The vulnerability affects a wide range of Struts 2 versions, including legacy and current branches.
Particularly concerning is that many end-of-life versions are no longer actively maintained by Apache but are still widely deployed in production environments and remain vulnerable.
Applications that rely on XML configuration and are exposed to untrusted input face the highest risk of exploitation.
The Apache Struts team has released patches and recommends that all affected organizations upgrade to Struts 6.1.1 or later.
The good news for administrators is that the fix is backward compatible, streamlining the upgrade process for most deployments.
For organizations unable to patch their systems immediately, temporary mitigations can be implemented by hardening XML parsing behavior.
Administrators can deploy a custom SAXParserFactory that disables external entities by default, or set JVM-level system properties to block external DTDs, schemas, and stylesheets.
These interim measures provide meaningful protection while organizations work toward full patching.
The vulnerability was reported by ZAST.AI, underscoring the ongoing security scrutiny facing widely used Java frameworks.
Given Struts’ documented history in high-profile security incidents, organizations are strongly advised to prioritize this flaw in their patching queues.
Security teams should immediately verify that vulnerable versions are either removed or adequately mitigated within their infrastructure to prevent potential exploitation and data compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Apache Struts 2 Vulnerability Allows Attackers to Steal Sensitive Data appeared first on Cyber Security News.
Epic Games developer Psyonix has published a sneak peek at an updated version of Rocket…
IO Interactive has published a portion of the opening mission from 007 First Light after…
Far in the distant future, long after the human race has spread itself among the…
The cybersecurity landscape in 2026 is defined by unprecedented sophistication. Threat actors are leveraging generative…
This website uses cookies.