CVE-2017-5638 Explained: The Apache Struts Flaw Behind the Equifax Breach
A CVSS 10.0 OGNL injection vulnerability in Apache Struts 2 that enabled the largest consumer data breach in US history. 147 million records. A patch that existed for 78 days before it was applied.
Founder & Cybersecurity Evangelist
CVE-2017-5638 is the Apache Struts 2 vulnerability that enabled one of the largest and most consequential data breaches in US history. Publicly disclosed on March 7, 2017, the flaw carries a CVSS score of 10.0 and allows unauthenticated remote code execution through a single maliciously crafted HTTP request. Apache released a patch on the same day as disclosure. A public exploit followed within hours.
Equifax, one of the three major US credit bureaus, was running vulnerable Struts 2 instances on a consumer dispute portal. Despite an internal policy requiring critical patches within 48 hours, the system remained unpatched for 78 days. During that window, attackers gained initial access, moved laterally across internal networks, and exfiltrated the personal and financial data of 147 million Americans over three months — undetected.
How CVE-2017-5638 Works: OGNL Injection via Content-Type Header
The vulnerability exists in the Jakarta Multipart parser used by Apache Struts 2 to handle file upload requests. When a multipart HTTP POST request contains an invalid Content-Type value, the parser generates an error message incorporating the raw header. That error string is passed to LocalizedTextUtil.findText(), which evaluates any OGNL (Object-Graph Navigation Language) expressions embedded within it.
OGNL is Apache Struts' built-in expression language. The Struts security sandbox is designed to restrict what OGNL can execute. CVE-2017-5638 bypasses that sandbox entirely, enabling an attacker to call Java methods, launch system processes, and read or write files — all from a single crafted Content-Type header value.
Affected versions include Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. No authentication is required. The vulnerability fires during header parsing before routing occurs, meaning any Struts 2 endpoint using the Jakarta Multipart parser — the default for file upload functionality — is exploitable regardless of application logic.
Enumerate Struts endpoints
Automated scanners identify public-facing web applications running Apache Struts 2, detectable via .action or .do URL patterns, Server headers, or distinctive error page formatting.
Inject OGNL payload
Attacker sends an HTTP POST with a Content-Type header containing a crafted OGNL expression that disables security manager restrictions and runs an OS command.
Confirm execution
The server evaluates the OGNL expression and returns command output in the HTTP response body, confirming unauthenticated RCE with no authentication challenge.
Deploy web shell
Attacker uploads a JSP-based web shell to a publicly accessible path, establishing persistent access that survives server restarts without requiring repeated exploitation.
Lateral movement
Using the web server process's internal network access, the attacker queries internal databases, traverses adjacent systems, and maps data stores not directly internet-accessible.
Exfiltration
Sensitive records are compressed and tunneled out over HTTPS to attacker infrastructure — bypassing SSL inspection if certificates have lapsed, as was the case at Equifax.
CVE-2017-5638 and the Equifax Breach: A Governance Failure
On March 7, 2017, US-CERT issued Alert TA17-071A urging immediate patching of CVE-2017-5638 the same day the advisory dropped. Apache published S2-045 with technical details and fixed versions. Public exploit code was available within 24 hours.
Equifax had a written internal policy requiring critical vulnerability patches within 48 hours. The vulnerability was flagged internally. An automated scan ran — and reportedly failed to detect the vulnerable instance due to a misconfigured scan scope. The portal stayed unpatched.
Between May 13 and July 30, 2017, attackers exploited CVE-2017-5638 to access the consumer dispute portal and moved laterally through internal systems. They ran over 9,000 queries against 48 separate databases during the breach period, accessing Social Security numbers, birth dates, home addresses, driver's license numbers, and credit card details for 209,000 consumers.
The breach was not detected until July 29 — when a security analyst noticed suspicious traffic while reviewing an expired SSL inspection certificate that had been lapsed for 19 months. That expired certificate had blinded all inspection tooling to the encrypted exfiltration for the entire duration of the breach.
“Equifax's cybersecurity failures were widespread and left consumers' sensitive personal information at risk. A company that profits from collecting information has a particular obligation to protect it.”
— FTC Commissioner Rebecca Kelly Slaughter, Equifax Data Breach Settlement
Patching and Mitigating CVE-2017-5638
The definitive fix is upgrading to Apache Struts 2.3.32 or 2.5.10.1 or any later release. For environments where immediate upgrades are constrained, the following measures reduce exposure.
Upgrade Apache Struts immediately
Upgrade to Struts 2.3.32 or 2.5.10.1+. The patch rewrites the vulnerable error handling path so OGNL expressions in Content-Type headers are never evaluated. This is the only complete remediation.
Deploy WAF rules blocking OGNL syntax
Block HTTP requests where Content-Type headers contain OGNL expression characters such as %, {, and #{ combinations. OWASP ModSecurity CRS includes rules targeting this pattern. Test against legitimate multipart upload traffic before enforcing.
Disable the Jakarta Multipart parser if unused
If file upload functionality is not required, configure Struts to use an alternative parser or disable multipart handling in struts.xml. This eliminates the attack surface at the configuration level without requiring a version upgrade.
Build a complete Struts application inventory
Equifax failed to detect the vulnerable instance due to an incomplete asset inventory. Audit all Java web applications for embedded framework versions, including transitive dependencies and shaded JARs packaged into WAR files.
Monitor and rotate TLS inspection certificates
Expired inspection certificates created the detection blind spot that allowed three months of undetected exfiltration at Equifax. Implement automated certificate expiry alerting with a maximum 90-day lapse policy enforced by your security operations process.
The bottom line
CVE-2017-5638 is a 10-minute patch that turned into a $1.4 billion disaster. The vulnerability had a public exploit, a US-CERT advisory, and a fixed release all available on day one. Equifax had a written 48-hour patching policy. None of that mattered without processes and verification mechanisms to confirm the patch was actually applied.
The Equifax breach produced three permanent lessons. First, asset inventory is a prerequisite for patching — you cannot remediate what you do not know you own. Second, security tooling requires its own maintenance lifecycle — expired certificates created a detection gap as large as the vulnerability itself. Third, critical patch SLAs must include verification and escalation, not just assignment.
Apache Struts 2 continues to power legacy enterprise Java applications across banking, insurance, government, and retail. OGNL injection variants have appeared in multiple subsequent Struts releases. Organizations running Struts should treat it as a permanently elevated-risk component requiring active inventory management and priority patch treatment.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.