CVE-2012-4681

CRITICAL KEV RANSOMWARE

Java 7 Applet Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2012-4681 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, benjholla, ZH3FENG, including a Metasploit module exploits/multi/browser/java_jre17_exec.

AI-analyzed exploit summary This Metasploit module exploits a Java 7 vulnerability (CVE-2012-0547) to achieve remote code execution by delivering a malicious JAR file via an HTML page with an embedded applet. The exploit bypasses the Java sandbox and has been tested across multiple browsers and platforms.

Description

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/20865

This Metasploit module exploits a Java 7 vulnerability (CVE-2012-0547) to achieve remote code execution by delivering a malicious JAR file via an HTML page with an embedded applet. The exploit bypasses the Java sandbox and has been tested across multiple browsers and platforms.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java 7 (Oracle JDK/JRE 1.7.0)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java 7 must be installed and enabled in the browser
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by benjholla · local
https://github.com/benjholla/CVE-2012-4681-Armoring

This repository contains a working proof-of-concept exploit for CVE-2012-4681, a Java vulnerability that bypasses security restrictions to execute arbitrary commands. The exploit uses reflection and Java beans to disable the security manager and execute 'calc.exe' as a demonstration.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java Runtime Environment (JRE) 1.7 and earlier
No auth needed
Prerequisites: Victim must run the malicious Java applet
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ZH3FENG · local
https://github.com/ZH3FENG/PoCs-CVE_2012_4681

This PoC exploits CVE-2012-4681, a Java sandbox bypass vulnerability in JDK7u6, by manipulating the AccessControlContext to disable the SecurityManager. It demonstrates how to reset the Java sandbox using reflection and the `sun.awt.SunToolkit` class.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle JDK 7 Update 6
No auth needed
Prerequisites: Target must be running JDK7u6 · Attacker must be able to execute arbitrary Java code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Adam Gowdiak, s advisory, , # Vulnerability discovery according to Oracle, jduck, sinn3r, juan vazquez · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_exec.rb

This Metasploit module exploits CVE-2012-4681, a vulnerability in Java 7 that allows remote code execution by bypassing the Security Manager via ClassFinder and MethodFinder.findMethod(). It delivers a malicious JAR file through an HTML page with an embedded applet.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Java Runtime Environment (JRE) 7
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java 7 must be installed and enabled in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-240A.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=135109152819176&w=2
Broken Link, Third Party Advisory x_refsource_misc
http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1225.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51044
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55213

Scores

CVSS v3 9.8
EPSS 0.9414
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2012-08-28
InTheWild.io 2017-08-05
ENISA EUVD EUVD-2012-4606
Ransomware Use Confirmed
CWE
CWE-284
Status published
Products (3)
oracle/jdk 1.6.0 (34 CPE variants)
oracle/jdk 1.7.0 (7 CPE variants)
oracle/jre 1.6.0 (9 CPE variants)
Published Aug 28, 2012
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026