CVE-2012-5076

CRITICAL KEV RANSOMWARE

Java Applet AverageRangeStatisticImpl Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2012-5076 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, Unknown, juan vazquez, including a Metasploit module exploits/multi/browser/java_jre17_jaxws.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-5076, a vulnerability in Java 7u7 and earlier, by abusing the AverageRangeStatisticImpl class to execute arbitrary Java code outside the sandbox. It delivers a malicious JAR file via an HTML page with an embedded applet.

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/24309

This Metasploit module exploits CVE-2012-5076, a vulnerability in Java 7u7 and earlier, by abusing the AverageRangeStatisticImpl class to execute arbitrary Java code outside the sandbox. It delivers a malicious JAR file via an HTML page with an embedded applet.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Java SE 7u7 and earlier
No auth needed
Prerequisites: Target must have a vulnerable Java version installed · Target must visit a malicious webpage or be redirected to it
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/22657

This Metasploit module exploits CVE-2012-5076, a vulnerability in Java JAX-WS classes that allows remote code execution outside the sandbox. It delivers a malicious JAR file via an HTML page with an embedded applet, targeting Java 7u7 and earlier.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Java 7u7 and earlier
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java 7u7 or earlier must be installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_jaxws.rb

This Metasploit module exploits CVE-2012-5076 in Java JAX-WS to achieve remote code execution via a malicious Java applet. It delivers a JAR file containing exploit classes to bypass sandbox restrictions in Java 7u7 and earlier.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java Runtime Environment (JRE) 7u7 and earlier
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the applet · Java applet must be allowed to run in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb

This Metasploit module exploits CVE-2012-5076 by abusing the AverageRangeStatisticImpl class in Java Applets to execute arbitrary code outside the sandbox. It targets Java 7u7 and earlier versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java Runtime Environment (JRE) 7u7 and earlier
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java Applet support enabled in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201406-32.xml
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1386.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1391.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51029
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51390
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1467.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51326

Scores

CVSS v3 9.8
EPSS 0.9144
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2012-11-12
InTheWild.io 2022-03-28
ENISA EUVD EUVD-2012-4999
Ransomware Use Confirmed
CWE
CWE-284
Status published
Products (2)
oracle/jre 1.7.0 (8 CPE variants)
suse/linux_enterprise_desktop 11 sp2
Published Oct 16, 2012
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026