Critical XXE Vulnerability in Apache Struts 2 (CVE-2025-68493)
A critical XML External Entity (XXE) injection vulnerability, tracked as CVE-2025-68493, has been identified in the XWork component of Apache Struts 2. This flaw allows attackers to exploit improper XML input validation, potentially leading to sensitive data disclosure, server-side request forgery (SSRF), and denial-of-service (DoS) attacks. The vulnerability affects a wide range of Struts 2 versions, including 2.0.0–2.3.37, 2.5.0–2.5.33, and 6.0.0–6.1.0, exposing millions of applications to risk. Security researchers at ZAST.AI reported the issue, and Apache has rated the vulnerability as 'Important' due to its significant impact on data confidentiality and system availability.
Organizations using affected versions are strongly advised to upgrade to Struts 6.1.1, which addresses the vulnerability. The issue is remotely exploitable and has been assigned a CVSS 3.1 score of 8.1 (High). Immediate patching is recommended to prevent exploitation, as attackers can leverage this flaw to extract configuration files, database credentials, and other sensitive information from vulnerable servers. The vulnerability has been confirmed by both independent security researchers and the Apache security team.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Sonatype reports heavy continued downloads of vulnerable Struts versions
Sonatype researchers reported that more than 387,000 downloads of vulnerable Apache Struts versions occurred in a single week, with 98% involving end-of-life releases. The finding highlighted slow adoption of the fixed Struts 6.1.1 release and ongoing supply-chain exposure tied to CVE-2025-68493.
oss-sec discussion links flaw to insecure Java XML defaults
Follow-up discussion on oss-sec argued that CVE-2025-68493 and similar recent Apache XXE issues share a root cause in insecure XML parsing defaults in Java's standard library. Participants called for broader audits of XML parsing across Apache projects.
CVE entry updated with CVSS scoring and references
The CVE-2025-68493 record was modified to add CVSS v3.1 scoring details and additional references. The update reflected a high-severity rating and expanded metadata around the disclosure.
CVE record for CVE-2025-68493 is published
The CVE entry for CVE-2025-68493 was published with high-severity classification and references to the Apache advisory and oss-security disclosure. It described the flaw as remotely exploitable with low attack complexity and user interaction required.
Apache discloses CVE-2025-68493 and releases Struts 6.1.1
Apache disclosed CVE-2025-68493, an XXE issue caused by missing XML validation in the outdated XWork component, affecting Struts/XWork versions up to 6.1.0. Apache recommended upgrading to Struts 6.1.1 and published advisory S2-069, with mitigations for users unable to upgrade immediately.
ZAST.AI researchers discover and report Struts XXE flaw
Researchers at ZAST.AI identified an XML External Entity vulnerability in Apache Struts' XWork XML parsing and reported it to the Apache Struts team. The flaw was later tracked as CVE-2025-68493.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Outdated Apache Struts versions see spike in downloads, posing security risk | SC Media
scworld.com
Open sourceData theft, SSRF intrusions likely with critical Apache Struts 2 bug | SC Media
scworld.com
Open sourceRe: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component
seclists.org
Open sourceCritical Apache Struts 2 Vulnerability Allow Attackers to Steal Sensitive Data
cybersecuritynews.com
Open sourceThe XML Trap: Critical Struts 2 Flaw CVE-2025-68493 Exposes Data
securityonline.info
Open sourceCVE-2025-68493 - Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component
cvefeed.io
Open sourceCVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Struts 2 Denial-of-Service Vulnerability via File Leak in Multipart Request Processing
A high-severity vulnerability, tracked as CVE-2025-66675, has been identified in Apache Struts 2, affecting versions 2.0.0 through 6.7.4 and 7.0.0 through 7.0.3. The flaw arises from a file leak in the multipart request processing component, which can lead to disk exhaustion and result in a denial-of-service (DoS) condition. Attackers can exploit this vulnerability remotely, potentially causing affected servers to crash by exhausting disk resources. The issue has been addressed in versions 6.8.0 and 7.1.1, and users are strongly advised to upgrade to these fixed versions to mitigate the risk. The vulnerability is related to improper handling of file uploads in multipart requests, which can allow attackers to trigger uncontrolled file creation or retention, leading to resource exhaustion. Security advisories recommend prompt patching, as the flaw is remotely exploitable and could be leveraged in automated attacks targeting exposed Struts 2 instances. No evidence of exploitation in the wild has been reported as of the latest updates, but the critical nature of the flaw warrants immediate attention from organizations using vulnerable versions.
Mar 21, 2026
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Apache Syncope Patches XSS and XXE Flaws Enabling Session Hijacking and Data Leakage
The Apache Software Foundation released security updates for *Apache Syncope* to address vulnerabilities that could enable **session hijacking** and **sensitive data exposure** in identity-management deployments. One issue, **CVE-2026-23794**, is a **reflected XSS** flaw in the **Enduser Login** page where an attacker can trick a user into clicking a crafted link, leading to arbitrary JavaScript execution in the victim’s browser and potential theft of session cookies or actions performed as the user. A second issue, **CVE-2026-23795**, is an **XML External Entity (XXE)** vulnerability in the **Syncope Console** related to creating/editing **Keymaster parameters**; it requires an attacker to have (or obtain) administrator-level entitlements, but can then be used to submit malicious XML to trigger data leakage and potentially facilitate session compromise. Reported affected versions include **3.0–3.0.15** and **4.0–4.0.3**, with fixes available in **3.0.16** and **4.0.4**; organizations running impacted releases are advised to upgrade promptly, particularly given Syncope’s role in authentication and access control.
Mar 21, 2026