It turns out that even in the world of software, “old” doesn’t mean “gone.” In a report shared with Hackread.com, cybersecurity researchers at Sonatype revealed a massive spike in downloads of long‑outdated Apache Struts versions.

The flaw in question is CVE‑2025‑68493. What makes this discovery unique is how it was found. According to the Apache Struts security bulletin (S2‑069), the vulnerability was identified by Zast AI, an autonomous AI security‑research system.

As AI now hunts for bugs faster than humans can, it’s a double‑edged sword: the holes are found quickly, but organisations often have almost no time to react before someone else exploits them.

What’s actually broken?

According to Sonatype researchers, the problem lies in the XWork component, the main engine that processes data in Struts. The flaw involves unsafe XML parsing—the way the software reads instructions.

“The real risk does not emerge at disclosure,” the researchers noted in the blog post, “it emerges in the lag between knowing and changing what is actually deployed.”

Further probing revealed that an attacker doesn’t need to be a master spy or take full control of a computer to cause trouble. By sending crafted input, they can force the system into an infinite loop, eating up CPU and memory until it crashes—a digital heart attack for a web server. This flaw impacts a huge range of versions, from 2.0.0 through 6.1.0, and carries a high severity score of 8.8.

The Dead Software Problem

The real shocker is the scale of the risk. In just one week, over 387,000 people downloaded these vulnerable versions, and a whopping 98 % of those downloads were for End‑of‑Life (EOL) versions.

These are versions like Struts 2.3, which haven’t seen an official update in over 2,200 days. If you are using them, there is no official patch coming because the creators stopped supporting them years ago.

The Fix

A safe version, Struts 6.1.1, is available, but almost nobody is using it yet. This new version includes stricter parser hardening to block the attacks. Currently, only about 1.8 % of the downloads (≈ 6,243 downloads) over the same period were for the secure version.

Researchers noted that these old versions remain deeply embedded in company systems, making them a ticking time bomb. Every version before 6.1.1 should be considered dangerous. If you’re a developer or a business owner, check your Struts versions now—​the window to fix this is closing fast.

---

About the author

Deeba Ahmed is a veteran cybersecurity reporter at HackRead.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in‑depth analysis make her a key contributor to the platform’s trusted coverage.