CVE-2014-0112

EXPLOITED

Apache Struts 2.0.0-2.3.16.1 and struts2-core < 2.3.20 - Remote Code Execution via ParametersInterceptor

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-0112 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Mark Thomas, Przemyslaw Celej, including a Metasploit module exploits/multi/http/struts_code_exec_classloader.

AI-analyzed exploit summary This Metasploit module exploits a ClassLoader manipulation vulnerability in Apache Struts 1.x and 2.x, allowing remote code execution via crafted parameters. It includes multiple targets for Java, Linux, and Windows, and supports both direct exploitation and SMB-based payload delivery.

Description

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Exploits (3)

exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/41690

This Metasploit module exploits a ClassLoader manipulation vulnerability in Apache Struts 1.x and 2.x, allowing remote code execution via crafted parameters. It includes multiple targets for Java, Linux, and Windows, and supports both direct exploitation and SMB-based payload delivery.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 1.x (<= 1.3.10) and 2.x (< 2.3.16.2)
No auth needed
Prerequisites: Network access to the target Struts application · Struts application with vulnerable ClassLoader manipulation
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/33142

This Metasploit module exploits CVE-2014-0112 in Apache Struts by manipulating the ClassLoader via crafted parameters, allowing remote code execution through JSP file creation and execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts < 2.3.16.2
No auth needed
Prerequisites: Target running vulnerable Apache Struts version · Network access to the Struts application
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Mark Thomas, Przemyslaw Celej · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_classloader.rb

This Metasploit module exploits a ClassLoader manipulation vulnerability in Apache Struts 1.x and 2.x to achieve remote code execution by manipulating the ClassLoader via crafted parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 1.x (<= 1.3.10) and 2.x (< 2.3.16.2)
No auth needed
Prerequisites: Access to a vulnerable Apache Struts application · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Patch, Vendor Advisory x_refsource_confirm
https://cwiki.apache.org/confluence/display/WW/S2-021
Permissions Required third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59178
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/531952/100/0/threaded
Permissions Required third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59500
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/67064
Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN19294237/index.html
Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
Third Party Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21676706
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1091939
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532549/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0910

Scores

EPSS 0.9147
EPSS Percentile 99.7%

Details

VulnCheck KEV 2022-05-11
CWE
CWE-264
Status published
Products (2)
apache/struts 2.0.0 - 2.3.16.2
org.apache.struts/struts2-core 0 - 2.3.20Maven
Published Apr 29, 2014
Tracked Since Feb 18, 2026