CVE-2016-1000027

Exploitation Summary

EIP tracks 6 public exploits for CVE-2016-1000027. PoCs published by artem-smotrakov, JAckLosingHeart, tina94happy.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2016-1000027, demonstrating a deserialization vulnerability in Spring Framework's HttpInvokerServiceExporter. The exploit sends a malicious serialized payload to trigger remote code execution.

Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Exploits (6)

nomisec WORKING POC 12 stars

by artem-smotrakov · poc

https://github.com/artem-smotrakov/cve-2016-1000027-poc

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2016-1000027, demonstrating a deserialization vulnerability in Spring Framework's HttpInvokerServiceExporter. The exploit sends a malicious serialized payload to trigger remote code execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Framework (versions affected by CVE-2016-1000027)

No auth needed

Prerequisites: Vulnerable Spring Framework application with HttpInvokerServiceExporter exposed · Ability to send HTTP requests to the target endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/spring-CVE-2016-1000027

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2016-1000027, demonstrating a deserialization vulnerability in Spring's HTTP Invoker. The exploit sends a crafted serialized payload to trigger remote code execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Framework (HTTP Invoker)

No auth needed

Prerequisites: Network access to the target server · A crafted serialized payload (payload.bin)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP 2 stars

by tina94happy · poc

https://github.com/tina94happy/Spring-Web-5xx-Mitigated-version

View Code ZIP pw:eip

This repository provides a technical writeup and mitigated version of Spring Web to address CVE-2016-1000027, a remote code execution vulnerability in Java deserialization. It discusses the removal of the vulnerable `handleRequest` functionality in `HttpInvokerServiceExporter` and provides context for organizations constrained to OpenJDK 8.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Spring Framework 4.1.4

No auth needed

Prerequisites: Use of Spring Framework 4.1.4 · Java deserialization of untrusted data

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab STUB

by imdsafiqul842 · poc

https://gitlab.com/imdsafiqul842/spring-cve-2016-1000027

View Code ZIP pw:eip

The repository contains only a GitLab CI configuration and a README referencing CVE-2016-1000027 without any exploit code or technical details. It appears to be a placeholder or incomplete project.

Classification

Stub 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Spring Framework (version not specified)

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WORKING POC

by Ragatzino · poc

https://github.com/Ragatzino/test-cve-2016-1000027

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2016-1000027, demonstrating a deserialization vulnerability in Spring's HttpInvokerServiceExporter. The exploit includes an attack script that sends a crafted serialized payload to a vulnerable endpoint, along with a vulnerable Spring application setup for testing.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Framework (HttpInvokerServiceExporter)

No auth needed

Prerequisites: Vulnerable Spring application with HttpInvokerServiceExporter exposed · Network access to the target endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WRITEUP

by yihtserns · poc

https://github.com/yihtserns/spring-web-without-remoting

View Code ZIP pw:eip

This repository provides a technical solution to mitigate CVE-2016-1000027 by removing the vulnerable `org.springframework.remoting` package from Spring Web 5.x. It references the GitHub advisory and issue for further context.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: Spring Web 5.x

No auth needed

Prerequisites: Spring Web 5.x with `org.springframework.remoting` package present

devstral-2 · analyzed Feb 18, 2026 Full analysis →