CVE-2011-3923

CRITICAL

Apache Struts <2.3.1.2 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-3923. PoCs published by Metasploit, Meder Kydyraliev, including Metasploit module exploits/multi/http/struts_code_exec_parameters.

AI-analyzed exploit summary This Metasploit module exploits CVE-2011-3923, a remote code execution vulnerability in Apache Struts versions < 2.3.1.2 via OGNL expression injection in the ParametersInterceptor. It supports multiple platforms (Windows, Linux, Java) and delivers payloads through chunked file uploads.

Description

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/24874

This Metasploit module exploits CVE-2011-3923, a remote code execution vulnerability in Apache Struts versions < 2.3.1.2 via OGNL expression injection in the ParametersInterceptor. It supports multiple platforms (Windows, Linux, Java) and delivers payloads through chunked file uploads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts < 2.3.1.2
No auth needed
Prerequisites: Target running vulnerable Apache Struts version · Access to a Struts action endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Meder Kydyraliev · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_parameters.rb

This Metasploit module exploits CVE-2011-3923, a remote code execution vulnerability in Apache Struts versions < 2.3.1.2. It leverages OGNL expression injection via the ParametersInterceptor to execute arbitrary Java code, supporting Windows, Linux, and Java payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts < 2.3.1.2
No auth needed
Prerequisites: Target application must be running a vulnerable version of Apache Struts · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24874
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/51628
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2011-3923
Mailing List x_refsource_misc
http://seclists.org/fulldisclosure/2014/Jul/38
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securitytracker.com/id?1026575
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/72585

Scores

CVSS v3 9.8
EPSS 0.9105
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-732
Status published
Products (3)
apache/struts 2.0.0 - 2.3.1.2
org.apache.struts/struts2-core 2.0.0 - 2.3.1.2Maven
redhat/jboss_enterprise_web_server 1.0.0
Published Nov 01, 2019
Tracked Since Feb 18, 2026