CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2017-5638 Explained: The Apache Struts Flaw Behind the Equifax Breach

A CVSS 10.0 OGNL injection vulnerability in Apache Struts 2 that enabled the largest consumer data breach in US history. 147 million records. A patch that existed for 78 days before it was applied.

10.0
CVSS Score
147M
Records Exposed
78
Days Unpatched
$575M
FTC Settlement

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2017-5638 is the Apache Struts 2 vulnerability that enabled one of the largest and most consequential data breaches in US history. Publicly disclosed on March 7, 2017, the flaw carries a CVSS score of 10.0 and allows unauthenticated remote code execution through a single maliciously crafted HTTP request. Apache released a patch on the same day as disclosure. A public exploit followed within hours.

Equifax, one of the three major US credit bureaus, was running vulnerable Struts 2 instances on a consumer dispute portal. Despite an internal policy requiring critical patches within 48 hours, the system remained unpatched for 78 days. During that window, attackers gained initial access, moved laterally across internal networks, and exfiltrated the personal and financial data of 147 million Americans over three months, undetected.

How CVE-2017-5638 Works: OGNL Injection via Content-Type Header

The vulnerability exists in the Jakarta Multipart parser used by Apache Struts 2 to handle file upload requests. When a multipart HTTP POST request contains an invalid Content-Type value, the parser generates an error message incorporating the raw header. That error string is passed to LocalizedTextUtil.findText(), which evaluates any OGNL (Object-Graph Navigation Language) expressions embedded within it.

OGNL is Apache Struts' built-in expression language. The Struts security sandbox is designed to restrict what OGNL can execute. CVE-2017-5638 bypasses that sandbox entirely, enabling an attacker to call Java methods, launch system processes, and read or write files, all from a single crafted Content-Type header value.

Affected versions include Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. No authentication is required. The vulnerability fires during header parsing before routing occurs, meaning any Struts 2 endpoint using the Jakarta Multipart parser, the default for file upload functionality, is exploitable regardless of application logic.

1

Enumerate Struts endpoints

Automated scanners identify public-facing web applications running Apache Struts 2, detectable via .action or .do URL patterns, Server headers, or distinctive error page formatting.

2

Inject OGNL payload

Attacker sends an HTTP POST with a Content-Type header containing a crafted OGNL expression that disables security manager restrictions and runs an OS command.

3

Confirm execution

The server evaluates the OGNL expression and returns command output in the HTTP response body, confirming unauthenticated RCE with no authentication challenge.

4

Deploy web shell

Attacker uploads a JSP-based web shell to a publicly accessible path, establishing persistent access that survives server restarts without requiring repeated exploitation.

5

Lateral movement

Using the web server process's internal network access, the attacker queries internal databases, traverses adjacent systems, and maps data stores not directly internet-accessible.

6

Exfiltration

Sensitive records are compressed and tunneled out over HTTPS to attacker infrastructure, bypassing SSL inspection if certificates have lapsed, as was the case at Equifax.

CVE-2017-5638 and the Equifax Breach: A Governance Failure

On March 7, 2017, US-CERT issued Alert TA17-071A urging immediate patching of CVE-2017-5638 the same day the advisory dropped. Apache published S2-045 with technical details and fixed versions. Public exploit code was available within 24 hours.

Equifax had a written internal policy requiring critical vulnerability patches within 48 hours. The vulnerability was flagged internally. An automated scan ran, and reportedly failed to detect the vulnerable instance due to a misconfigured scan scope. The portal stayed unpatched.

Between May 13 and July 30, 2017, attackers exploited CVE-2017-5638 to access the consumer dispute portal and moved laterally through internal systems. They ran over 9,000 queries against 48 separate databases during the breach period, accessing Social Security numbers, birth dates, home addresses, driver's license numbers, and credit card details for 209,000 consumers.

The breach was not detected until July 29, when a security analyst noticed suspicious traffic while reviewing an expired SSL inspection certificate that had been lapsed for 19 months. That expired certificate had blinded all inspection tooling to the encrypted exfiltration for the entire duration of the breach.

Equifax's cybersecurity failures were widespread and left consumers' sensitive personal information at risk. A company that profits from collecting information has a particular obligation to protect it.

FTC Commissioner Rebecca Kelly Slaughter, Equifax Data Breach Settlement
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2017-5638

The definitive fix is upgrading to Apache Struts 2.3.32 or 2.5.10.1 or any later release. For environments where immediate upgrades are constrained, the following measures reduce exposure.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2017-5638 is a 10-minute patch that turned into a $1.4 billion disaster. The vulnerability had a public exploit, a US-CERT advisory, and a fixed release all available on day one. Equifax had a written 48-hour patching policy. None of that mattered without processes and verification mechanisms to confirm the patch was actually applied.

The Equifax breach produced three permanent lessons. First, asset inventory is a prerequisite for patching, you cannot remediate what you do not know you own. Second, security tooling requires its own maintenance lifecycle, expired certificates created a detection gap as large as the vulnerability itself. Third, critical patch SLAs must include verification and escalation, not just assignment.

Apache Struts 2 continues to power legacy enterprise Java applications across banking, insurance, government, and retail. OGNL injection variants have appeared in multiple subsequent Struts releases. Organizations running Struts should treat it as a permanently elevated-risk component requiring active inventory management and priority patch treatment.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2017-5638 and how did it enable the Equifax breach?

CVE-2017-5638 is a CVSS 10.0 OGNL injection vulnerability in Apache Struts 2's Jakarta Multipart parser. An attacker sends a malicious Content-Type header containing an OGNL expression, which executes arbitrary OS commands on the server. Equifax ran vulnerable Struts 2 on a consumer portal and failed to apply the patch for 78 days, allowing attackers to exfiltrate 147 million records over three months undetected.

How do I fix CVE-2017-5638?

Upgrade Apache Struts to 2.3.32 or 2.5.10.1 or later. As a temporary measure, deploy WAF rules blocking OGNL syntax in Content-Type headers. Audit all Java web applications for embedded Struts versions, including transitive dependencies in WAR files.

Is CVE-2017-5638 still being exploited?

Yes. Apache Struts 2 continues to power legacy enterprise Java applications in banking, insurance, and government. CVE-2017-5638 and subsequent OGNL injection variants remain active targets for automated scanners and threat actors targeting unpatched legacy deployments.

What is OGNL injection and why is it so dangerous in Apache Struts?

OGNL (Object-Graph Navigation Language) is Apache Struts' built-in expression language for rendering dynamic content. OGNL has deep access to the Java runtime: it can invoke Java methods, call Runtime.exec() to run OS commands, and access system properties. When unsanitized user input reaches OGNL evaluation, an attacker can execute arbitrary operating system commands as the application server process user. Apache Struts has been affected by multiple distinct OGNL injection CVEs beyond CVE-2017-5638, making the framework a permanently elevated-risk component requiring active version management.

How long did Equifax take to patch CVE-2017-5638 and why?

Equifax took 78 days to apply the patch for CVE-2017-5638. The patch was available March 7, 2017, the same day as the advisory. Equifax had an internal policy requiring critical patches within 48 hours. An internal scan was reportedly run to identify the vulnerable system but failed to detect it due to a misconfigured scan scope that excluded the consumer dispute portal where the vulnerable Struts instance ran. The failure demonstrates that patch SLAs are only as good as the asset inventory and scan coverage that underpins them.

What data was stolen in the Equifax breach from CVE-2017-5638?

During the May-July 2017 breach period, attackers accessed: Social Security Numbers, birth dates, home addresses, and driver's license numbers for 147 million Americans; credit card numbers for 209,000 consumers; and dispute documents with PII for 182,000 individuals. The data was extracted via over 9,000 queries against 48 separate databases during the breach period. The FTC settled with Equifax for up to $700 million and required a $425 million consumer compensation fund. The breach also exposed personal data for an estimated 15 million UK residents and 19,000 Canadian residents.

Sources & references

  1. NVD
  2. Apache S2-045
  3. FTC Equifax Settlement

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.