CVE-2007-1036

EXPLOITED RANSOMWARE

JBoss Application Server - Unauthenticated Administrative Access via Default Configuration

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2007-1036 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, jduck, Patrick Hof, h0ng10, Patrick Hof, Jens Liebchen, h0ng10, including a Metasploit module exploits/multi/http/jboss_maindeployer.

AI-analyzed exploit summary This Metasploit module exploits CVE-2007-1036 in JBoss servers by leveraging exposed JMX Invoker servlets to deploy a malicious WAR file via the DeploymentFileRepository methods. It achieves remote code execution by uploading and executing a payload through a stager JSP.

Description

The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/21080

This Metasploit module exploits CVE-2007-1036 in JBoss servers by leveraging exposed JMX Invoker servlets to deploy a malicious WAR file via the DeploymentFileRepository methods. It achieves remote code execution by uploading and executing a payload through a stager JSP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JBoss 4.x and 5.x
No auth needed
Prerequisites: Exposed JMXInvokerServlet · JBoss server with vulnerable DeploymentFileRepository methods
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/16318

This Metasploit module exploits CVE-2007-1036 by deploying a malicious WAR archive via the JBoss JMX Console's MainDeployer functionality. It achieves remote code execution by serving a WAR file containing a payload and triggering its deployment on the target server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JBoss Application Server with exposed JMX Console
No auth needed
Prerequisites: Target server must have an exposed JMX Console · Target server must allow outbound connections to the attacker's server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck, Patrick Hof, h0ng10 · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jboss_maindeployer.rb

This Metasploit module exploits CVE-2007-1036 by deploying a malicious WAR archive via the JBoss JMX Console's MainDeployer functionality, achieving remote code execution. It includes automatic target detection and supports multiple platforms.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JBoss Application Server with exposed JMX Console
No auth needed
Prerequisites: Exposed JMX Console · Outbound connectivity from target to attacker
devstral-2 · analyzed Mar 05, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Patrick Hof, Jens Liebchen, h0ng10 · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jboss_invoke_deploy.rb

This Metasploit module exploits a JBoss JMXInvokerServlet vulnerability (CVE-2007-1036) to deploy a WAR file via the DeploymentFileRepository, achieving remote code execution on JBoss 4.x and 5.x servers. It uses a multi-stage approach with a JSP stager to upload and execute the payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JBoss 4.x and 5.x
No auth needed
Prerequisites: Exposed JMXInvokerServlet · JBoss 4.x or 5.x with DeploymentFileRepository accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory x_refsource_misc
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017677
Third Party Advisory x_refsource_misc
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/32596
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/632656
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460597/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/33744
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460605/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460695/100/0/threaded

Scores

EPSS 0.9014
EPSS Percentile 99.6%

Details

VulnCheck KEV 2019-09-01
Ransomware Use Confirmed
CWE
CWE-264
Status published
Products (1)
jboss/jboss_application_server
Published Feb 21, 2007
Tracked Since Feb 18, 2026