In 2017, Equifax failed to protect information on more than 143 million users by running an older version Apache Struts. Even though patches were available, Equifax sysadmins never bothered to update their software.

Now there is a new flaw (CVE CVE-2018-11776) in Apache Struts that can be used by a remote attacker to run malicious code on unpatched servers. The flaw was discovered by Man Yue Mo, a security researcher at Semmle.

“Organizations and developers who use Struts are urgently advised to upgrade their Struts components immediately. Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk,“ according to a Semmle blog post.

The Apache Foundation was notified in April and the patch has already been released.

According to Semmle, this new remote code execution vulnerability affects all supported versions of Apache Struts 2.

“Users of Struts 2.3 are strongly advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. The vulnerability is located in the core of Apache Struts. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled,” warned Semmle.

If you are running Apache Struts, please upgrade your systems immediately.