CVE-2016-7065

HIGH

Red Hat JBoss Enterprise Application Platform 4 and 5 - Remote Code Execution via JMX Servlet Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-7065. PoCs published by Mediaservice.net Srl..

AI-analyzed exploit summary The advisory describes a deserialization vulnerability in JBoss EAP 5.2.X and prior versions, where untrusted data is deserialized via the JMX Invoker Servlet, leading to potential DoS or RCE. The PoC includes serialized payloads to trigger resource exhaustion.

Description

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Mediaservice.net Srl. · textwebappsjava

https://www.exploit-db.com/exploits/40842

View Code ZIP pw:eip

The advisory describes a deserialization vulnerability in JBoss EAP 5.2.X and prior versions, where untrusted data is deserialized via the JMX Invoker Servlet, leading to potential DoS or RCE. The PoC includes serialized payloads to trigger resource exhaustion.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: JBoss EAP 5.2.X and prior

Auth required

Prerequisites: Access to JMX Invoker Servlet · Authenticated session

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1382534

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40842/

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Nov/143

Third Party Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/93462

Scores

CVSS v3 8.8

EPSS 0.1247

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

redhat/jboss_enterprise_application_platform 4.0.0

redhat/jboss_enterprise_application_platform 5.0.0

Published Oct 13, 2016

Tracked Since Feb 18, 2026