Critical Apache Struts Vulnerability Exploited in Live Attacks

A severe vulnerability has been detected in Apache Struts 2 framework.  The vulnerability allows for full remote code execution and is actively being exploited in the wild.


The UBC Cybersecurity team has been in contact with all known owners of applications relying on Apache Struts.  If you are responsible for an application that uses the Struts framework and have not been contacted by us, please email Aaron Heck ( immediately.



  • Critical


CVE Number

  • CVE-2018-11776


Impacted Platforms

  • Apache Struts 2.3 – Struts 2.3.34, Struts 2.5 – Struts 2.5.16
  • Unsupported Struts versions (ie: all versions < 2.3) may also be affected


Recommended Actions


More information