Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

§ Context

Assumed environment: target runs a Java app on Apache Struts 2.3 / 2.5 unpatched for S2-045 — a deprecated CVE but still routinely found in legacy / regional financial / telecom apps.

§ Steps

1. 01
   Bulk customer PII exfilExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Spawn shell as Struts service userExecution

   T1059— Command and Scripting Interpreter
3. 03
   Pivot to database via app configCredential Access

   T1552— Unsecured Credentials
4. 04
   Find Struts endpoint (action / Multipart)Reconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
5. 05
   Send malicious Content-Type → OGNL evalInitial Access

   CVE-STRUTS-S2-045— Apache Struts Content-Type RCE (S2-045 / CVE-2017-5638)

§ References

• T1041Exfiltration Over C2 Channel
• T1059Command and Scripting Interpreter
• T1552Unsecured Credentials

§ Frequently asked

What is the "Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach" attack path?

Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Bulk customer PII exfil (T1041) — a exfiltration primitive. Assumed environment: target runs a Java app on Apache Struts 2.

What is the final impact of this kill-chain?

The final step lands on Send malicious Content-Type → OGNL eval (CVE-STRUTS-S2-045), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques3

  Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

• Shared techniques3

  FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

• Shared techniques2

  Multi-agent confused-deputy → tool-call escalation

  User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.

• Shared techniques2

  Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

• Shared techniques2

  Evil maid → sniff TPM unseal → decrypt BitLocker offline

  Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.