CVE-2016-3081

HIGH NUCLEI

Apache Struts 2.3.19-2.3.20.2, 2.3.21-2.3.24.1, 2.3.25-2.3.28 - Remote Code Execution via Dynamic Method Invocation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-3081. PoCs published by Metasploit, Nixawk, rungobier, including Metasploit module exploits/multi/http/struts_dmi_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-3081, a remote code execution vulnerability in Apache Struts 2.3.20-2.3.28 (excluding 2.3.20.2 and 2.3.24.2) via Dynamic Method Invocation. It uploads a payload to the target system and executes it to achieve remote command execution.

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/39756

This Metasploit module exploits CVE-2016-3081, a remote code execution vulnerability in Apache Struts 2.3.20-2.3.28 (excluding 2.3.20.2 and 2.3.24.2) via Dynamic Method Invocation. It uploads a payload to the target system and executes it to achieve remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.20-2.3.28 (excluding 2.3.20.2 and 2.3.24.2)
No auth needed
Prerequisites: Dynamic Method Invocation enabled on the target Apache Struts application · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nixawk, rungobier · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_dmi_exec.rb

This Metasploit module exploits CVE-2016-3081 in Apache Struts 2.3.20-2.3.28 (excluding 2.3.20.2 and 2.3.24.2) via Dynamic Method Invocation to achieve remote code execution. It uploads and executes a payload tailored for Windows, Linux, or Java targets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.20-2.3.28 (excluding 2.3.20.2 and 2.3.24.2)
No auth needed
Prerequisites: Dynamic Method Invocation enabled in Struts · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache S2-032 Struts - Remote Code Execution
HIGHby dhiyaneshDK
Shodan: http.html:"apache struts" || http.title:"struts2 showcase" || http.html:"struts problem report"
FOFA: body="struts problem report" || title="struts2 showcase" || body="apache struts"

References (11)

Core 11
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39756/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91787
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/87327
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035665
Patch, Vendor Advisory x_refsource_confirm
https://struts.apache.org/docs/s2-032.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Scores

CVSS v3 8.1
EPSS 0.9420
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-77
Status published
Products (50)
apache/struts 2.0.0
apache/struts 2.0.1
apache/struts 2.0.2
apache/struts 2.0.3
apache/struts 2.0.4
apache/struts 2.0.5
apache/struts 2.0.6
apache/struts 2.0.7
apache/struts 2.0.8
apache/struts 2.0.9
... and 40 more
Published Apr 26, 2016
Tracked Since Feb 18, 2026