CVE-2014-1202

SoapUI < 4.6.4 - Remote Code Execution via WSDL Import

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-1202. PoCs published by Barak Tawily.

AI-analyzed exploit summary This exploit demonstrates a remote code execution vulnerability in SoapUI via a malicious WSDL file. The payload uses the `${=JAVA CODE};` syntax to execute arbitrary Java code (e.g., `Runtime.getRuntime().exec('calc.exe')`) when a victim imports the WSDL and sends a request.

Description

The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

Exploits (1)

exploitdb WORKING POC
by Barak Tawily · textremotewindows
https://www.exploit-db.com/exploits/30908

This exploit demonstrates a remote code execution vulnerability in SoapUI via a malicious WSDL file. The payload uses the `${=JAVA CODE};` syntax to execute arbitrary Java code (e.g., `Runtime.getRuntime().exec('calc.exe')`) when a victim imports the WSDL and sends a request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SoapUI versions before 4.6.4
No auth needed
Prerequisites: Victim must import the malicious WSDL file into SoapUI · Victim must attempt to send a request using the malicious WSDL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.1735
EPSS Percentile 95.2%

Details

CWE
CWE-94
Status published
Products (16)
com.smartbear.soapui/soapui 0 - 4.6.4Maven
eviware/soapui 2.5.1
eviware/soapui 3.0.1
eviware/soapui 3.5
eviware/soapui 3.5.1
eviware/soapui 3.6
eviware/soapui 3.6.1
smartbear/soapui 4.0 (3 CPE variants)
smartbear/soapui 4.0.1
smartbear/soapui 4.5
... and 6 more
Published Jan 25, 2014
Tracked Since Feb 18, 2026