Apache Struts vulnerability affects any app using Struts versions dating back to 2008. A remote code execution (RCE) attack is possible when the Struts REST plugin is used with XStream handler to deserialize untrusted XML requests. Organizations such as Lockheed Martin, Citigroup, Virgin Atlantic and the IRS use this plugin, and several airline booking systems also rely on Struts to manage reservations. Even with a solid patch available, not every company will implement the new code quickly, some may still be unaware of the problem.”]