CVE-2010-1870

NUCLEI

Apache Struts 2.0.0-2.1.8.1 - Remote Code Execution via OGNL Context Variable Manipulation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-1870. PoCs published by Metasploit, Meder Kydyraliev, bannedit, Meder Kydyraliev, including Metasploit module exploits/multi/http/struts_code_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-1870, a remote command execution vulnerability in Apache Struts < 2.2.0. It leverages OGNL expression injection to bypass security restrictions and execute arbitrary commands on Windows or Linux targets.

Description

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/17691

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-1870, a remote command execution vulnerability in Apache Struts < 2.2.0. It leverages OGNL expression injection to bypass security restrictions and execute arbitrary commands on Windows or Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts < 2.2.0

No auth needed

Prerequisites: Network access to the target Struts application · Vulnerable Struts version (< 2.2.0)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Meder Kydyraliev · textremotemultiple

https://www.exploit-db.com/exploits/14360

View Code ZIP pw:eip

This exploit leverages OGNL injection in Struts2/XWork to bypass security restrictions and execute arbitrary Java code. It manipulates context variables to enable static method access and disable method execution denial, leading to remote command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts2 (versions before 2.2.0)

No auth needed

Prerequisites: Target application using Struts2 with ParametersInterceptor enabled (default configuration)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by bannedit, Meder Kydyraliev · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2010-1870, a remote command execution vulnerability in Apache Struts < 2.2.0 by leveraging OGNL expression injection to bypass security restrictions and execute arbitrary Java code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts < 2.2.0

No auth needed

Prerequisites: Access to a vulnerable Apache Struts application · Network connectivity to the target

MITRE ATT&CK