CVE-2010-1423

Java NPAPI/Deployment Toolkit <6-19 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-1423. PoCs published by Metasploit, including Metasploit module exploits/windows/browser/java_ws_arginject_altjvm.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-1423 by leveraging improper validation of command-line arguments in Sun Java Web Start. It uses the -J and -XXaltjvm options to execute arbitrary code via a malicious JNLP file served over HTTP, targeting Windows systems with WebDAV Mini-Redirector enabled.

Description

Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/41700

This Metasploit module exploits CVE-2010-1423 by leveraging improper validation of command-line arguments in Sun Java Web Start. It uses the -J and -XXaltjvm options to execute arbitrary code via a malicious JNLP file served over HTTP, targeting Windows systems with WebDAV Mini-Redirector enabled.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Java Web Start (versions since 6 Update 10)
No auth needed
Prerequisites: Target must have Java Web Start installed · WebClient service (WebDAV Mini-Redirector) must be enabled · Attacker must host the exploit on a server accessible to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb

This Metasploit module exploits CVE-2010-1423 by leveraging the -J and -XXaltjvm options in Java Web Start to inject arbitrary command-line arguments, leading to remote code execution. It uses a combination of HTTP server functionality and WebDAV Mini-Redirector to deliver a malicious DLL payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Java Web Start Plugin (versions since 6 Update 10)
No auth needed
Prerequisites: Target must have Java Web Start Plugin installed · WebClient service (WebDAV Mini-Redirector) must be enabled on the target · Server must be run as root and not serve SMB
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023840
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/63648
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39260
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/57615
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/886582
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14090
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0853

Scores

EPSS 0.5558
EPSS Percentile 98.9%

Details

CWE
CWE-78
Status published
Products (4)
oracle/jdk 1.6.0 update10
oracle/jdk < 1.6.0
oracle/jre 1.6.0 update_10
oracle/jre < 1.6.0
Published Apr 15, 2010
Tracked Since Feb 18, 2026