CVE-2020-17530: Apache Struts RCE Vulnerability

CVE-2020-17530 Overview

CVE-2020-17530 is a critical remote code execution vulnerability in Apache Struts 2 that stems from forced Object-Graph Navigation Language (OGNL) evaluation when processing raw user input in tag attributes. This vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers by crafting malicious OGNL expressions that bypass security restrictions. The flaw exists in Apache Struts versions 2.0.0 through 2.5.25 and has been actively exploited in the wild.

Critical Impact

This vulnerability enables unauthenticated remote code execution with no user interaction required. Attackers can achieve complete server compromise, data exfiltration, and lateral movement within affected networks. This CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Affected Products

• Apache Struts 2.0.0 - 2.5.25
• Oracle Business Intelligence 12.2.1.3.0 and 12.2.1.4.0 Enterprise
• Oracle Communications Diameter Intelligence Hub 8.0.0, 8.1.0, 8.2.0, 8.2.3
• Oracle Communications Policy Management 12.5.0
• Oracle Communications Pricing Design Center 12.0.0.3.0
• Oracle Financial Services Data Integration Hub 8.0.3 and 8.0.6
• Oracle Hospitality Opera 5 (version 5.6)
• Oracle MySQL Enterprise Monitor 8.0.23

Discovery Timeline

• December 11, 2020 - CVE-2020-17530 published to NVD
• October 27, 2025 - Last updated in NVD database

Technical Details for CVE-2020-17530

Vulnerability Analysis

This vulnerability, tracked as security bulletin S2-061, represents a continuation of OGNL injection issues that have historically plagued Apache Struts. The root cause lies in how certain Struts 2 tags evaluate user-controlled input as OGNL expressions when the %{...} syntax is used in tag attributes. When developers inadvertently pass unsanitized user input to these attributes, an attacker can inject malicious OGNL expressions that execute arbitrary Java code on the server.

The attack can be conducted remotely over the network without any authentication or user interaction, making it particularly dangerous for internet-facing applications. Successful exploitation grants attackers full control over the affected system with the privileges of the web application process, potentially leading to complete system compromise, data theft, ransomware deployment, or establishment of persistent backdoors.

Root Cause

The vulnerability originates from insufficient input validation in Apache Struts 2's OGNL expression evaluation mechanism. When tag attributes receive user-controlled values and perform forced OGNL evaluation using the %{...} syntax, the framework fails to properly sanitize these inputs before evaluation. This allows attackers to inject arbitrary OGNL expressions that can instantiate Java objects and invoke methods, ultimately achieving remote code execution. The flaw is classified as CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement).

Attack Vector

Attackers exploit this vulnerability by submitting specially crafted HTTP requests containing malicious OGNL expressions to vulnerable Struts 2 applications. The attack flow typically involves:

1. Identifying a Struts 2 application with vulnerable tag usage where user input flows into tag attributes
2. Crafting an OGNL payload that chains object instantiation and method calls to execute system commands
3. Sending the payload via HTTP parameters, headers, or form fields that reach the vulnerable tag attribute
4. The malicious OGNL expression evaluates on the server, executing arbitrary code with application privileges

The vulnerability requires no authentication and can be exploited with a single HTTP request, making it highly attractive for automated exploitation and mass scanning campaigns.

Detection Methods for CVE-2020-17530

Indicators of Compromise

• Unusual HTTP requests containing OGNL expression patterns such as %{, @java.lang, Runtime.getRuntime(), or ProcessBuilder in parameters or headers
• Web server logs showing requests with encoded OGNL payloads attempting command execution
• Unexpected outbound network connections from web application servers
• Anomalous process spawning from Java/Tomcat processes, particularly shell invocations
• Evidence of new files created in web application directories or system temp folders

Detection Strategies

• Deploy web application firewalls (WAF) with rules to detect and block OGNL injection patterns
• Implement network intrusion detection signatures for known CVE-2020-17530 exploit payloads
• Monitor HTTP traffic for suspicious patterns including nested %{ expressions and Java class references
• Utilize SentinelOne's behavioral AI to detect post-exploitation activities such as unauthorized command execution from web processes
• Scan applications with vulnerability scanners configured to detect S2-061 vulnerable configurations

Monitoring Recommendations

• Enable detailed access logging on all Struts 2 applications and forward logs to a SIEM for correlation
• Configure alerts for HTTP 500 errors accompanied by Java exception stack traces containing OGNL-related classes
• Monitor for reconnaissance scanning patterns targeting common Struts endpoints
• Implement file integrity monitoring on web application directories to detect unauthorized modifications
• Track process genealogy to identify shells or system commands spawned by Java application processes

How to Mitigate CVE-2020-17530

Immediate Actions Required

• Upgrade Apache Struts to version 2.5.26 or later immediately on all affected systems
• Apply vendor patches for Oracle products as detailed in the respective CPU (Critical Patch Update) advisories
• Conduct an inventory of all applications using Apache Struts to ensure complete coverage
• Review application code for patterns where user input is passed to Struts tag attributes with forced OGNL evaluation
• Implement network-level controls to restrict access to Struts applications while patching

Patch Information

Apache has released Struts version 2.5.26 which addresses this vulnerability. Organizations should upgrade to this version or later as the primary remediation. For the official security advisory and upgrade instructions, refer to the Apache Struts Security Bulletin S2-061.

Oracle has addressed this vulnerability in multiple Critical Patch Updates for affected products. Consult the Oracle CPU January 2021, Oracle CPU April 2021, Oracle CPU July 2021, Oracle CPU October 2021, and Oracle CPU January 2022 advisories for product-specific patch information.

Workarounds

• Avoid using forced OGNL evaluation (%{...}) in tag attributes with user-controllable values
• Implement strict input validation and sanitization for all user-supplied data before processing
• Deploy a web application firewall with signatures to block OGNL injection attempts as a defense-in-depth measure
• Consider network segmentation to limit exposure of vulnerable applications while patches are deployed
• Enable the Struts 2 security sandbox if upgrading is not immediately feasible, though this is not a complete mitigation

# Verify current Struts version in deployed applications
find /path/to/webapps -name "struts2-core-*.jar" -exec basename {} \;

# Check for vulnerable versions (2.0.0 - 2.5.25)
# Upgrade struts2-core dependency to 2.5.26 or later in pom.xml
# <dependency>
#   <groupId>org.apache.struts</groupId>
#   <artifactId>struts2-core</artifactId>
#   <version>2.5.26</version>
# </dependency>