CVE-2012-1723

CRITICAL KEV RANSOMWARE

Java Applet Field Bytecode Verifier Cache Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2012-1723 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Metasploit, EthanNJC, Stefan Cornelius, mihi, littlelightlittlefire, juan vazquez, sinn3r, including a Metasploit module exploits/multi/browser/java_verifier_field_access.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in the HotSpot bytecode verifier (CVE-2012-1723) to escape the JRE sandbox and execute arbitrary code. It delivers a malicious Java applet via an HTTP server to achieve remote code execution.

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotejava

https://www.exploit-db.com/exploits/19717

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the HotSpot bytecode verifier (CVE-2012-1723) to escape the JRE sandbox and execute arbitrary code. It delivers a malicious Java applet via an HTTP server to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Java Runtime Environment (JRE) 7 Update 4 and earlier

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java applet must be executed in a vulnerable JRE

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by EthanNJC · client-side

https://github.com/EthanNJC/CVE-2012-1723

View Code ZIP pw:eip

This PoC exploits CVE-2012-1723, a Java Applet sandbox escape vulnerability, by manipulating ClassLoader references to bypass security restrictions and execute arbitrary commands. The exploit chain involves confusing the ClassLoader, defining a malicious class with elevated permissions, and executing a payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Java Runtime Environment (JRE) 7 Update 4 and earlier

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit applet · Java Applet support must be enabled in the browser

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Stefan Cornelius, mihi, littlelightlittlefire, juan vazquez, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_verifier_field_access.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the HotSpot bytecode verifier (CVE-2012-1723) to escape the JRE sandbox and execute arbitrary code. It uses a malicious Java applet to deliver a payload, supporting multiple platforms and architectures.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Java Runtime Environment (JRE) 7 Update 4 and earlier

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java applet must be executed in a vulnerable JRE

MITRE ATT&CK