CVE-2011-3556

Oracle Java SE JDK/JRE 7/6u27/5.0u31/1.4.2_33 & JRockit R28.1.4 - RCE via RMI

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2011-3556. PoCs published by Metasploit, sk4la, mihi, hdm, including Metasploit module auxiliary/scanner/misc/java_rmi_server.

AI-analyzed exploit summary This Metasploit module exploits CVE-2011-3556 by leveraging insecure default RMI configurations to execute arbitrary Java code via remote class loading. It crafts a malicious RMI packet to trigger payload delivery over HTTP.

Description

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/17535

View Code ZIP pw:eip

This Metasploit module exploits CVE-2011-3556 by leveraging insecure default RMI configurations to execute arbitrary Java code via remote class loading. It crafts a malicious RMI packet to trigger payload delivery over HTTP.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Java RMI Registry/Activation services (default configurations)

No auth needed

Prerequisites: Network access to RMI service (default port 1099) · Target must allow remote class loading

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by sk4la · poc

https://github.com/sk4la/cve_2011_3556

View Code ZIP pw:eip

This is a Python 3 implementation of a proof-of-concept exploit for CVE-2011-3556, a vulnerability in Java RMI servers. It allows remote code execution by loading a malicious JAR file from an attacker-controlled HTTP server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Java RMI server (JRE <= 1.7.0_1)

No auth needed

Prerequisites: Vulnerable Java RMI server exposed on the network · HTTP server to host the malicious JAR payload

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

by mihi, hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/java_rmi_server.rb

View Code ZIP pw:eip

This Metasploit module scans for Java RMI endpoints and checks if remote class loading is enabled, which could lead to remote code execution. It does not contain offensive payloads but detects vulnerable configurations.

Classification

Scanner 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Java RMI Server (versions affected by CVE-2011-3556)

No auth needed

Prerequisites: Network access to the target RMI endpoint · RMI service running on the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by mihi · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java RMI server's insecure default configuration (CVE-2011-3556) to achieve remote code execution by leveraging the RMI Distributed Garbage Collector to load malicious classes from a remote HTTP server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Java RMI Registry and RMI Activation services (affects most RMI endpoints)

No auth needed

Prerequisites: Network access to RMI service (default port 1099) · RMI class loader not explicitly disabled

MITRE ATT&CK