Tag :
Cyber Security

Summary

Vulnerability Name XML External Entity Injection (XXE) in Apache Struts (CVE-2025-68493)
Released on January 14, 2026
Affected Component Apache Struts
Affected Version
2.0.0 ≤ Apache Struts ≤ 2.3.37
2.5.0 ≤ Apache Struts ≤ 2.5.33
6.0.0 ≤ Apache Struts ≤ 6.1.0
Vulnerability Type XXE
Exploitation Condition
1. User authentication: not required.
2. Precondition: default configurations.
3. Trigger mode: remote.
Impact Exploitation difficulty: easy. Unauthorized attackers can exploit this vulnerability to obtain sensitive data. Severity: critical. This vulnerability can result in sensitive data leakage on the server.
Official Solution Available

About the Vulnerability

Component Introduction

Apache Struts is a free, open-source model-view-controller (MVC) framework for creating elegant, modern Java web applications. It favors convention over configuration, supports extension using a plugin architecture, and ships with plugins to support REST, AJAX, and JSON.

Vulnerability Description

On January 14, 2026, Sangfor FarSight Labs received notification of the XXE vulnerability in Apache Struts (CVE-2025-68493), classified as critical in threat level.

Specifically, Apache Struts contains an XXE vulnerability, which is caused because the XWork-Core component fails to adequately validate and restrict XML external entities when parsing XML configuration files. Attackers can exploit this vulnerability to trigger external entity resolution by crafting malicious XML content. Upon successful exploitation, this may result in sensitive data leakage, denial of service, and other security impacts.

Affected Versions

The following Apache Struts versions are affected:

2.0.0 ≤ Apache Struts ≤ 2.3.37

2.5.0 ≤ Apache Struts ≤ 2.5.33

6.0.0 ≤ Apache Struts ≤ 6.1.0

Solutions

Remediation Solutions

Official Solutions

The latest version has been officially released to fix the vulnerability. Affected users are advised to update Apache Struts to V6.1.1 or later.

Download link: https://struts.apache.org/download.cgi

For users unable to start an update immediately due to specific reasons, perform the following operations:

  1. Use a custom SAXParserFactory class: Set xwork.saxParserFactory to point to a custom factory class that disables external entities by default.
  2. Define Java Virtual Machine (JVM) configurations: Disable external entities in the default XML parser of the JVM by setting the following system properties to an empty string to block all protocols:

-Djavax.xml.accessExternalDTD=""

-Djavax.xml.accessExternalSchema=""

-Djavax.xml.accessExternalStylesheet=""

Temporary Solutions

  1. Disable unused functional modules to reduce attack entry points.
  2. Follow the principle of least privilege to strictly control the scope of permissions for sensitive operations.
  3. Do not expose services to the Internet unless necessary, to limit the access sources to trusted ranges.
  4. Regularly update the system and components to secure versions so that known vulnerabilities can be patched at the earliest opportunity.

Sangfor Solutions

Risky Asset Discovery

The following Sangfor service can conduct proactive detection on Apache Struts to detect affected assets in batches in business scenarios:

  • Athena Endpoint Protection Platform (EPP): The corresponding asset discovery solution has been released. The fingerprint ID is 0004960.

Proactive Vulnerability Detection

The following Sangfor services can proactively detect CVE-2025-68493 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:

  • Athena Managed Detection and Response (MDR): The corresponding detection solution will be released on March 30, 2026. The rule ID is SF-2026-01002.
  • Athena Extended Detection and Response (XDR): The corresponding detection solution will be released on January 16, 2026. The rule ID is SF-2026-00432.

Vulnerability Monitoring

The following Sangfor services support CVE-2025-68493 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:

  • Athena Network Detection and Response (NDR): The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 11228002.
  • Athena MDR: The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 11228002. In this case, make sure that Athena MDR is integrated with Athena NDR.
  • Athena XDR: The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 11228002.
  • Sangfor Traffic Monitoring GPT: Sangfor Traffic Monitoring GPT can detect attacks and threats targeting this vulnerability based on its understanding of attacks and code, without the need to configure rules.

Vulnerability Prevention

The following Sangfor services can effectively block CVE-2025-68493 exploits:

  • Athena Next-Generation Firewall (NGFW): The corresponding prevention solution will be released on January 16, 2026. The rule ID is 11228002.
  • Sangfor Web Application Firewall (WAF): The corresponding prevention solution will be released on January 16, 2026. The rule ID is 11228002.
  • Athena MDR: The corresponding prevention solution will be released on January 16, 2026. The rule ID is 11228002. In this case, make sure that Athena MDR is integrated with Athena NGFW.
  • Athena XDR: The corresponding prevention solution will be released on January 16, 2026. The rule ID is 11228002. In this case, make sure that Athena XDR is integrated with Athena NGFW.

Timeline

On January 14, 2026, Sangfor FarSight Labs received notification of the XXE vulnerability in Apache Struts (CVE-2025-68493).

On January 14, 2026, Sangfor FarSight Labs released a vulnerability alert.

Reference

https://cwiki.apache.org/confluence/display/WW/S2-069

Learn More

Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.

Listen To This Post

Search

Keyword maximum 256 character

Related Articles

Command Injection in the phMonitor Service of Fortinet FortiSIEM (CVE-2025-64155)

Date : 16 Jan 2026
Read Now

Roundup of Microsoft Patch Tuesday (January 2026)

Date : 15 Jan 2026
Read Now

MongoDB Unauthorized Memory Leak (CVE-2025-14847)

Date : 14 Jan 2026
Read Now

See Other Product

Platform-X
Sangfor Access Secure - A SASE Solution
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2025
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure

Meet the Author

Sangfor HQ Building

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
See Author's Detail