Apache Struts2 RCE: Used in the 2017 Equifax breach exposing 147M people. Unauthenticated RCE via Content-Type header. Update Struts2 immediately and add WAF rules blocking the attack pattern. Review your Struts-based apps immediately.
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.
Exploit-DB.ai delivers real-time AI-triaged zero-day alerts directly to your inbox.
Activate Supernova →