Safeguard
Vulnerability Analysis

Struts2 OGNL injection RCE (CVE-2018-11776)

CVE-2018-11776 lets remote attackers achieve full RCE in Apache Struts2 via OGNL injection in URL namespaces. Impact, timeline, and fixes inside.

Nayan Dey
Security Researcher
7 min read

A specially crafted URL was all it took to turn a default Apache Struts2 configuration into a remote shell. CVE-2018-11776 is a critical OGNL (Object-Graph Navigation Language) injection vulnerability in the Struts2 core that allows unauthenticated attackers to achieve remote code execution (RCE) simply by embedding an OGNL expression in the URL namespace or action name — no file upload, no authentication, and in many cases no custom application code required. Because the flaw lives in framework-level URL handling rather than a specific plugin, it affected an enormous number of internet-facing Java applications, and it was weaponized by mass-scanning botnets within days of disclosure. This post breaks down the vulnerability, who it affects, and — more importantly — what to do about it if you still have Struts2 anywhere in your estate.

What Is CVE-2018-11776?

Struts2 resolves incoming requests by mapping the URL path to a namespace and an action name, then routes the request through its result-rendering pipeline. Under a specific but common configuration — struts.mapper.alwaysSelectFullNamespace set to true, combined with an action that either omits an explicit namespace attribute or uses a redirectAction result type without a hardcoded namespace/action — Struts2 treats part of the attacker-controlled URL as an OGNL expression and evaluates it server-side.

OGNL is the expression language Struts2 uses internally to bind form data and tag attributes to Java objects. When user input reaches the OGNL evaluator unsanitized, an attacker can escape the intended expression context and call arbitrary Java methods — including Runtime.exec() — resulting in full RCE with the privileges of the application server process.

This is the same underlying vulnerability class that produced CVE-2017-5638 (the Equifax breach vector) and several other Struts2 RCEs before and after it: OGNL injection remains the single most consequential recurring weakness in the framework's history. What made CVE-2018-11776 notable is that the vulnerable configuration — alwaysSelectFullNamespace: true — is the default behavior enabled by the popular Struts2 REST and Convention plugins, meaning many teams were exposed without ever explicitly opting into the risky setting.

Affected Versions and Components

  • Apache Struts 2.3.x through 2.3.34
  • Apache Struts 2.5.x through 2.5.16
  • Fixed in Struts 2.3.35 and 2.5.17, released August 22, 2018

Any application built on these Struts2 core versions is potentially exposed, but real-world risk concentrates in apps that:

  • Use the Struts REST plugin or Convention plugin (both toggle alwaysSelectFullNamespace to true by default)
  • Rely on redirectAction results without explicitly specifying a namespace
  • Use <s:url> or <s:a> tags without explicit namespace/action/value attributes
  • Ship the Struts Showcase demo application, which was the original proof-of-concept target and is still found deployed (accidentally) in production environments

Because Struts2 is frequently vendored inside commercial and open-source products rather than deployed directly by name, organizations often discover exposure only after an SBOM or composition scan surfaces a transitive struts2-core dependency they didn't know they had.

Severity, Exploit Probability, and KEV Status

  • CVSS v3 Base Score: 8.1 (High)AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The "High" attack complexity reflects the need for the specific alwaysSelectFullNamespace configuration, but given how common that default is via REST/Convention plugins, real-world exploitability is closer to trivial once a vulnerable endpoint is identified.
  • EPSS: This CVE has consistently scored in the upper percentile bands (historically in the 0.9+ range) due to widely available public exploit code, Metasploit and Nuclei modules, and sustained mass-scanning activity. Treat any Struts2 CVE with public PoCs as a near-certain exploitation target for opportunistic scanning, and confirm current EPSS via the FIRST.org API before prioritizing a remediation window.
  • CISA KEV: Apache Struts OGNL-injection vulnerabilities are represented in CISA's Known Exploited Vulnerabilities catalog, reflecting confirmed in-the-wild exploitation. Federal agencies and any organization following BOD 22-01-style patching cadences should treat unpatched Struts2 instances as a compliance-relevant gap, not just a theoretical risk.

The combination of a high CVSS score, sustained high EPSS pressure, and confirmed wild exploitation is exactly the profile that should push a vulnerability to the top of a remediation backlog regardless of internal severity scoring nuances.

Timeline

  • Early 2018 — Man Yue Mo of the Semmle Security Research team (now part of GitHub Security Lab) identifies the OGNL injection flaw in Struts2's namespace-handling logic and privately reports it to the Apache Struts security team.
  • August 22, 2018 — Apache publicly discloses CVE-2018-11776 and releases patched versions 2.3.35 and 2.5.17. Semmle publishes a technical write-up demonstrating RCE against the Struts Showcase application.
  • Days after disclosure — Public proof-of-concept exploits circulate; mass internet scanning begins almost immediately, echoing the exploitation pattern seen with CVE-2017-5638 a year earlier.
  • September 2018 — Exploit modules land in Metasploit and other commodity offensive tooling, lowering the skill bar for exploitation to near zero.
  • 2018–present — Opportunistic scanning and exploitation continue in waves, frequently bundled into cryptomining and botnet campaigns targeting internet-facing Java applications that never migrated off vulnerable Struts2 releases.

Remediation Steps

  1. Upgrade Struts2 immediately. Move to 2.3.35, 2.5.17, or — preferably — the latest supported Struts2/Struts6 release, since the framework has had multiple subsequent OGNL-related CVEs. Patching to the minimum fixed version without a broader upgrade plan just resets the clock on the next disclosure.
  2. Audit struts.mapper.alwaysSelectFullNamespace. If you cannot upgrade immediately, explicitly set this to false in struts.xml and verify no plugin silently re-enables it.
  3. Hardcode namespace and action attributes. Review every redirectAction result and every <s:url>/<s:a> tag to ensure namespace and action/value are explicitly set rather than inferred from the request path.
  4. Remove the Struts Showcase app and any other demo/sample applications from production deployments — they are a recurring, low-effort exploitation target.
  5. Deploy virtual patching at the WAF/edge layer as a stopgap: block requests containing OGNL indicators such as %24%7B, #context, #_memberAccess, or java.lang.Runtime in URL path segments.
  6. Inventory transitive exposure. Generate or refresh SBOMs across your application portfolio to find struts2-core pulled in as a vendored or transitive dependency — this is how Struts2 exposure typically hides in organizations that believe they've already removed it.
  7. Harden the blast radius. Run application servers with least-privilege service accounts, restrict outbound network egress from app tiers, and monitor for unexpected child processes spawned by the JVM or unauthorized files written into webapp directories — both are classic post-exploitation indicators for this CVE.

How Safeguard Helps

Safeguard turns this kind of legacy-but-still-lethal CVE from a guessing game into a prioritized action item. Our SBOM generation and ingest pipeline surfaces every instance of struts2-core across your services — including vendored and transitive copies that traditional inventories miss — so you know your real exposure footprint in minutes, not weeks. Reachability analysis then determines whether your specific code paths actually invoke the vulnerable namespace-resolution and OGNL-evaluation logic, cutting through noisy CVSS-only prioritization to tell you which findings are truly exploitable versus theoretical. Griffin AI correlates that reachability data with CVSS, EPSS, and KEV context to rank CVE-2018-11776 (and everything else in your backlog) by actual risk, not just severity score. When it's time to act, Safeguard's auto-fix PRs can propose the dependency bump to a patched Struts2 release directly against your repository, complete with the context your team needs to review and merge with confidence — turning a historically slow, manual patch cycle into a same-day fix.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.