An RCE attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests.
Affected Software:- Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
CVE: CVE-2017-9805
For patch update the struts version to 2.5.13