A high-severity vulnerability has been identified in Apache Struts, a widely used web application framework. An unauthenticated attacker can remotely exploit this flaw by sending specially crafted requests, causing temporary files to accumulate and exhaust all available disk space, leading to a denial of service that can render the application and potentially the entire server unavailable.

The vulnerability exists within the multipart request processing component of Apache Struts. When handling a multipart/form-data request (typically used for file uploads), the framework fails to properly clean up temporary files created during the process. An unauthenticated remote attacker can exploit this by sending a series of crafted requests, causing temporary files to be continuously created and left on the disk. This file leak eventually leads to disk exhaustion, preventing the application and other system services from writing new data, resulting in a complete denial of service.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation directly impacts service availability, which can lead to significant business disruption. An outage of critical web applications can result in direct financial loss, damage to the organization's reputation, and a negative customer experience. Since the attack is simple to execute and requires no authentication, any internet-facing application using a vulnerable version of Apache Struts is at high risk of being taken offline by malicious actors.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. After patching, review system and application access logs for any signs of exploitation attempts, such as an unusually high volume of POST requests with multipart/form-data content.

Proactive Monitoring: Implement continuous monitoring of disk space utilization on all servers running Apache Struts applications, with alerts configured for rapid or unexpected growth. Security teams should monitor web server logs and Web Application Firewall (WAF) logs for patterns indicative of an attack, such as a large number of multipart requests from a single source IP address in a short period.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to mitigate risk. Configure a Web Application Firewall (WAF) to rate-limit multipart POST requests. Additionally, consider implementing disk quotas for the user account running the application server to contain the impact of disk exhaustion and prevent it from affecting the entire operating system. A scheduled script to periodically clean the relevant temporary file directories can also serve as a temporary mitigation.

Public Exploit Available: true

Given the high severity (CVSS 7.5), the public availability of exploit code, and the significant impact on service availability, it is strongly recommended that organizations prioritize the immediate patching of this vulnerability. All internet-facing systems running vulnerable versions of Apache Struts should be considered at critical risk. Although this CVE is not currently listed on the CISA KEV catalog, its potential for business disruption warrants an urgent response. If patching is delayed for any reason, compensating controls must be deployed without delay.