CVE-2012-0391

CRITICAL KEV

Apache Struts < 2.2.3.1 - Remote Code Execution via ExceptionDelegator OGNL Expression Injection

Title source: llm

Exploitation Summary

CVE-2012-0391 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 21, 2022. EIP tracks 3 public exploits from researchers including Metasploit, SEC Consult, Johannes Dahse, Andreas Nusser, juan vazquez, sinn3r, mihi, including a Metasploit module exploits/multi/http/struts_code_exec_exception_delegator.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-0391, a remote command execution vulnerability in Apache Struts <= 2.2.1.1. It leverages OGNL expression injection during exception handling to execute arbitrary commands on both Windows and Linux targets.

Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/18984

View Code ZIP pw:eip

This Metasploit module exploits CVE-2012-0391, a remote command execution vulnerability in Apache Struts <= 2.2.1.1. It leverages OGNL expression injection during exception handling to execute arbitrary commands on both Windows and Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts <= 2.2.1.1

No auth needed

Prerequisites: Target application must be running a vulnerable version of Apache Struts · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by SEC Consult · textwebappsmultiple

https://www.exploit-db.com/exploits/18329

View Code ZIP pw:eip

The exploit demonstrates multiple critical vulnerabilities in Apache Struts2, including remote command execution via ExceptionDelegator, CookieInterceptor, and DebuggingInterceptor, as well as arbitrary file overwrite via ParametersInterceptor. These vulnerabilities arise from OGNL expression injection and improper parameter filtering.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts2 (2.3.1 and below)

No auth needed

Prerequisites: Target application using vulnerable Struts2 version · Access to crafted HTTP requests or headers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Johannes Dahse, Andreas Nusser, juan vazquez, sinn3r, mihi · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb

View Code ZIP pw:eip

This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1 by injecting OGNL expressions via the ExceptionDelegator, allowing arbitrary Java code execution. It supports multiple platforms (Windows, Linux, Java) and includes stagers for payload delivery.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts < 2.2.1.1

No auth needed

Prerequisites: Target running vulnerable Apache Struts version · Network access to the target application

MITRE ATT&CK