What Really Caused the Equifax Breach? Unpacking Apache Struts Vulnerabilities (CVE‑2017‑5638 & CVE‑2017‑9805)

Recent reports revealed that hackers stole personal data of 143 million Americans from credit‑reporting agency Equifax by exploiting a vulnerability in the Apache Struts framework.

Struts is an open‑source MVC framework for Java web applications that has been widely used in enterprise legacy systems.

The Apache Software Foundation, which maintains Struts, issued a statement in response to the incident.

Equifax attributes the attack to CVE‑2017‑5638

Initially, media suggested the breach stemmed from an undisclosed Struts flaw, but Equifax confirmed the attackers used the publicly disclosed CVE‑2017‑5638.

CVE‑2017‑5638 is a remote code execution (RCE) vulnerability first reported by Nike Zheng of Anheng Information on March 7 and classified as critical; Apache released a patched Struts version on the same day.

Equifax failed to apply the patch for two months, allowing attackers to exploit the flaw from May until it was disclosed in July.

The vulnerability resides in the Jakarta Multipart parser and affects Apache Struts 2.3 versions prior to 2.3.32 and Struts 2.5 versions prior to 2.5.10.1.

During the breach, attackers accessed sensitive data such as Social Security numbers, birth dates, addresses, and credit‑card numbers of 209 000 customers, as well as personal data of residents in the UK and Canada.

The incident caused Equifax’s stock to drop nearly 14 % on Wall Street, prompted hearings by two U.S. congressional committees, and triggered investigations by state attorneys general in New York, Illinois, Massachusetts, Connecticut, and Pennsylvania.

Apache Foundation’s response

The Apache Software Foundation’s Project Management Committee responded to Equifax’s statement, noting that the exact source of the leak could not be definitively confirmed as the Struts flaw.

If the Struts vulnerability was indeed the cause, it might be due to unpatched servers or a yet‑undiscovered flaw.

They speculated the attackers may have used CVE‑2017‑9805, disclosed on September 5, a month after the breach was first noticed.

The statement also listed software‑engineering best practices that, if followed by developers using open‑source or proprietary libraries, could help prevent similar incidents.

CVE‑2017‑9805 or the real culprit?

In early September, Struts published two security advisories. The first on September 5 covered CVE‑2017‑9804, CVE‑2017‑9805, and CVE‑2017‑9793.

CVE‑2017‑9805 was rated critical, has a nine‑year history, and affects all Struts 2 versions released since 2008; users were urged to upgrade immediately.

Apache suggested that the Equifax attackers likely exploited CVE‑2017‑9805 rather than the CVE‑2017‑5638 cited by Equifax.

The vulnerability originates from the Struts 2 REST plugin, where the XStream component suffers from a deserialization flaw that lacks type filtering.

The second advisory on September 7 addressed CVE‑2017‑12611, a medium‑severity remote code execution issue caused by improper handling of Freemarker tag expressions.

These vulnerabilities also impacted Cisco, which released two security advisories and began reviewing its products.

Approximately 65 % of the Fortune 100 companies use Struts, including the U.S. Internal Revenue Service, Citigroup, and Equifax.

China is one of the largest users of Struts worldwide, and its national vulnerability sharing platform issued a security notice in July on managing high‑risk Struts 2 vulnerabilities.