CVE-2016-3087

CRITICAL

Apache Struts 2.3.19-2.3.20.2, 2.3.21-2.3.24.1, 2.3.25-2.3.28 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-3087. PoCs published by Metasploit, nixawk, Nixawk, including Metasploit module exploits/multi/http/struts_dmi_rest_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-3087, a remote code execution vulnerability in Apache Struts REST Plugin with Dynamic Method Invocation enabled. It leverages OGNL injection to execute arbitrary commands on vulnerable systems.

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/39919

This Metasploit module exploits CVE-2016-3087, a remote code execution vulnerability in Apache Struts REST Plugin with Dynamic Method Invocation enabled. It leverages OGNL injection to execute arbitrary commands on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.20 to 2.3.28 (excluding 2.3.20.2 and 2.3.24.2)
No auth needed
Prerequisites: REST Plugin with Dynamic Method Invocation enabled · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by nixawk · pythonremotemultiple
https://www.exploit-db.com/exploits/43382

This exploit targets CVE-2016-3087, a remote code execution vulnerability in Apache Struts2 (S2-033). It leverages OGNL injection to execute arbitrary commands on the target system by manipulating the HTTP request parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions 2.3.20 - 2.3.28)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts2 · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nixawk · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_dmi_rest_exec.rb

This Metasploit module exploits CVE-2016-3087, a remote code execution vulnerability in Apache Struts REST Plugin with Dynamic Method Invocation enabled. It uploads and executes a payload on the target system via OGNL injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.20 to 2.3.28 (excluding 2.3.20.2 and 2.3.24.2)
No auth needed
Prerequisites: Dynamic Method Invocation enabled in Struts REST Plugin · Access to vulnerable REST endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036017
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39919/
Vendor Advisory x_refsource_confirm
http://struts.apache.org/docs/s2-033.html
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21987854
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/90960

Scores

CVSS v3 9.8
EPSS 0.8701
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (6)
apache/struts 2.3.20
apache/struts 2.3.20.1
apache/struts 2.3.24
apache/struts 2.3.24.1
apache/struts 2.3.28
org.apache.struts/struts2-core 2.3.19 - 2.3.20.3Maven
Published Jun 07, 2016
Tracked Since Feb 18, 2026