CVE-2025-68493 is an XML External Entity (XXE) vulnerability classified under CWE-611, found in the Apache Struts framework maintained by the Apache Software Foundation. This vulnerability arises from missing or insufficient XML validation, allowing attackers to craft malicious XML payloads that include external entity references. When processed by vulnerable versions of Apache Struts (from 2.0.0 before 2.2.1 and from 2.2.1 through 6.1.0), these payloads can lead to the disclosure of sensitive files, denial of service (via resource exhaustion), or other impacts depending on the XML parser behavior and server configuration. The vulnerability is remotely exploitable over the network without requiring authentication, although it requires user interaction to trigger the malicious XML processing. The CVSS v3.1 base score is 8.1, reflecting high confidentiality impact and high availability impact, with low attack complexity and no privileges required. The issue was reserved in December 2025 and published in January 2026. While no active exploitation has been reported yet, the widespread use of Apache Struts in enterprise web applications makes this a critical vulnerability to address. The recommended mitigation is upgrading to Apache Struts version 6.1.1, which includes the necessary XML validation fixes to prevent XXE attacks.

The impact of CVE-2025-68493 is significant for organizations worldwide that use Apache Struts in their web application infrastructure. Successful exploitation can lead to unauthorized disclosure of sensitive data, including local files on the server, which compromises confidentiality. Additionally, crafted XML payloads can cause denial of service conditions by exhausting server resources, impacting availability. Since the vulnerability requires no authentication and can be triggered remotely, attackers can exploit it at scale, potentially affecting large numbers of systems. This can lead to data breaches, service outages, and reputational damage. Organizations in sectors such as finance, healthcare, government, and e-commerce that rely heavily on Apache Struts are particularly at risk. The vulnerability also increases the attack surface for advanced persistent threats and cybercriminals aiming to gain footholds in critical infrastructure.

To mitigate CVE-2025-68493, organizations should immediately upgrade all affected Apache Struts instances to version 6.1.1 or later, where the vulnerability is patched. In addition to patching, organizations should implement strict input validation and XML parsing configurations to disable external entity processing where possible. Employing Web Application Firewalls (WAFs) with rules to detect and block malicious XML payloads can provide an additional layer of defense. Monitoring and logging XML processing errors and unusual application behavior can help detect attempted exploitation. Network segmentation and limiting exposure of vulnerable services to untrusted networks reduce attack surface. Regular security assessments and code reviews focusing on XML handling can prevent similar issues. Finally, educating developers and administrators about secure XML processing practices is essential for long-term risk reduction.