CVE-2016-0792

HIGH

Jenkins XStream Groovy classpath Deserialization Vulnerability

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2016-0792. PoCs published by Metasploit, Janusz Piechówka, jpiechowka, including Metasploit module exploits/multi/http/jenkins_xstream_deserialize.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0792, a deserialization vulnerability in Jenkins versions older than 1.650 and LTS versions older than 1.642.2. It leverages unsafe deserialization in XStream with Groovy in the classpath to achieve remote code execution without requiring authentication.

Description

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/43375

This Metasploit module exploits CVE-2016-0792, a deserialization vulnerability in Jenkins versions older than 1.650 and LTS versions older than 1.642.2. It leverages unsafe deserialization in XStream with Groovy in the classpath to achieve remote code execution without requiring authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins < 1.650, Jenkins LTS < 1.642.2
No auth needed
Prerequisites: Network access to the Jenkins server · Jenkins server running a vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Janusz Piechówka · pythonremotejava
https://www.exploit-db.com/exploits/42394

This exploit leverages a deserialization vulnerability in Jenkins (CVE-2016-0792) to achieve remote code execution by crafting a malicious XML payload. It checks the target's version and sends a POST request to trigger the payload execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins versions before 1.650 and LTS before 1.642.2
No auth needed
Prerequisites: Target Jenkins instance must be accessible · Target must be running a vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 49 stars
by jpiechowka · poc
https://github.com/jpiechowka/jenkins-cve-2016-0792

This repository contains a functional exploit for CVE-2016-0792, a deserialization vulnerability in Jenkins. The exploit leverages XStream deserialization to execute arbitrary commands via a crafted XML payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins versions < 1.650
No auth needed
Prerequisites: Python 3.6.x · requests library · network access to vulnerable Jenkins instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by bugdotexe · poc
https://github.com/bugdotexe/CVE-2016-0792

This repository contains a functional exploit for CVE-2016-0792, which targets Jenkins by creating a job with a malicious shell command payload. The exploit leverages Jenkins' job creation API to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins (versions affected by CVE-2016-0792)
Auth required
Prerequisites: Access to Jenkins instance with job creation permissions · Network connectivity to the target Jenkins server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Aviksaikat · poc
https://github.com/Aviksaikat/CVE-2016-0792

This repository contains a functional Python exploit for CVE-2016-0792, a deserialization vulnerability in Jenkins. The exploit crafts a malicious XML payload to achieve remote code execution (RCE) on vulnerable Jenkins instances by leveraging Groovy's MethodClosure and ProcessBuilder.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins versions before 1.650 and LTS before 1.642.2
No auth needed
Prerequisites: Python 3.6.x · requests library · network access to vulnerable Jenkins instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Arshan Dabirsiaghi · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_xstream_deserialize.rb

This Metasploit module exploits CVE-2016-0792, a deserialization vulnerability in Jenkins (pre-1.650/LTS pre-1.642.2) via XStream with Groovy in the classpath. It leverages unsafe deserialization to achieve remote code execution without authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins < 1.650, Jenkins LTS < 1.642.2
No auth needed
Prerequisites: Network access to Jenkins server · Jenkins version < 1.650 or LTS < 1.642.2
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43375/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:0711
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42394/
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1773.html

Scores

CVSS v3 8.8
EPSS 0.9056
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (4)
jenkins/jenkins < 1.642.1
jenkins/jenkins < 1.649
org.jenkins-ci.main/jenkins-core 1.643 - 1.650Maven
redhat/openshift 3.1
Published Apr 07, 2016
Tracked Since Feb 18, 2026