Struts2 devMode Remote Code Execution Vulnerability

18/07/2016 17:25:31


In recent months, Struts2 exposed several critical vulnerabilities. This vulnerability appears when devMode is enabled, and allows attackers to execute code remotely. Even arbitrary instructions can be executed remotely if WebService startup privilege is the highest, such as commands for shutdown, creating new user accounts, deleting all the files on the server, and so on.  

Apache Struts 2 is one of the most widely used Java Web server framework in the world. devMode, as its name indicates, is development mode used by Struts2 developers to debug programs and view logs. It is disabled by default, however, in practice, many websites enable devMode when they are moved to production, making the web server exposed to security issues. This vulnerability must be fixed as soon as possible. 

Official documentation says that devMode must be switched off when application is moved from development to production, and Apache will not verify any vulnerability related to devMode.

Software Versions

Struts 2.1.0–2.5.1 with devMode enabled


1. Set devMode to false in the file struts.xml.

2. For Sangfor NGAF customers, update the IPS to version 20161714 version or above.

Our Social Networks

Global Service Center: