CVE-2017-1000486

CRITICAL KEV NUCLEI LAB

Primefaces Remote Code Execution Exploit

Title source: metasploit

Exploitation Summary

CVE-2017-1000486 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022. EIP tracks 10 public exploits from researchers including Bjoern Schuette, pimps, 0xdsm, including a Metasploit module exploits/multi/http/primefaces_weak_encryption_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-1000486, a remote code execution vulnerability in Primefaces JSF framework due to weak encryption and default credentials. It crafts an encrypted payload using DES encryption and sends it via HTTP POST to execute arbitrary commands.

Description

Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

Exploits (10)

exploitdb WORKING POC

by Bjoern Schuette · rubywebappsjava

https://www.exploit-db.com/exploits/43733

View Code ZIP pw:eip

This Metasploit module exploits CVE-2017-1000486, a remote code execution vulnerability in Primefaces JSF framework due to weak encryption and default credentials. It crafts an encrypted payload using DES encryption and sends it via HTTP POST to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Primefaces versions prior to 5.2.21, 5.3.8, or 6.0

Auth required

Prerequisites: Network access to the target · Valid credentials (default: 'primefaces')

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 92 stars

by pimps · remote

https://github.com/pimps/CVE-2017-1000486

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-1000486, targeting Primefaces <= 5.2.21, 5.3.8, or 6.0. The exploit leverages a padding oracle attack to achieve remote code execution via weak cryptographic implementation in the Primefaces JSF framework.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Primefaces (versions <= 5.2.21, 5.3.8, or 6.0)

No auth needed

Prerequisites: Target running vulnerable Primefaces version · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 18 stars

by 0xdsm · poc

https://github.com/0xdsm/pwnfaces

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2017-1000486, targeting EL Injection in PrimeFaces 5.X. The tool automates the exploitation process, allowing command execution via crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces 5.X

No auth needed

Prerequisites: Target running vulnerable PrimeFaces 5.X · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 9 stars

by mogwailabs · remote

https://github.com/mogwailabs/CVE-2017-1000486

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-1000486, an EL injection vulnerability in PrimeFaces 5.x that allows remote code execution. The exploit leverages JavaScript execution via the JavaScript engine bundled with the Java VM to achieve RCE.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces 5.x

No auth needed

Prerequisites: Target must be running a vulnerable version of PrimeFaces 5.x · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Pastea · remote

https://github.com/Pastea/CVE-2017-1000486

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-1000486, targeting a PrimeFaces EL injection vulnerability. It includes a Python script and a Perl script (padBuster) to retrieve the PrimeFaces secret via a Padding Oracle attack and execute arbitrary commands using crafted EL expressions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces (JSF implementations)

No auth needed

Prerequisites: Access to a vulnerable PrimeFaces application · PrimeFaces secret (or ability to retrieve it via Padding Oracle)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by jam620 · remote

https://github.com/jam620/primefaces

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2017-1000486, a remote code execution vulnerability in PrimeFaces, specifically targeting the dynamiccontent.properties.xhtml endpoint. It includes a walkthrough of exploitation steps, references to existing exploits, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces (used in XETUX POS, MaxView Storage Manager, DOCBOX)

No auth needed

Prerequisites: Access to the target endpoint · Default encryption key in use or ability to perform a Padding Oracle Attack

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by LongWayHomie · remote

https://github.com/LongWayHomie/CVE-2017-1000486

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-1000486, an EL injection vulnerability in PrimeFaces 5.x. The exploit leverages JavaScript payloads to achieve remote code execution (RCE) by manipulating the `pfdrid` parameter in HTTP requests, with results returned in HTTP response headers.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces 5.x

No auth needed

Prerequisites: Access to a vulnerable PrimeFaces 5.x endpoint · Network connectivity to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by cved-sources · poc

https://github.com/cved-sources/cve-2017-1000486

View Code ZIP pw:eip

This repository contains a Dockerfile for setting up a vulnerable Tomcat 7 environment but lacks actual exploit code or technical details about CVE-2017-1000486. It references external sources without providing a functional PoC.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Tomcat 7

No auth needed

Prerequisites: Docker environment

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/000pp/pwnfaces

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2017-1000486, targeting EL Injection in PrimeFaces 5.X. The tool crafts malicious requests to achieve remote code execution (RCE) on vulnerable systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PrimeFaces 5.X

No auth needed

Prerequisites: Target URL with vulnerable PrimeFaces endpoint · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Bjoern Schuette, h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/primefaces_weak_encryption_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java Expression Language (EL) injection vulnerability in Primefaces due to weak encryption, allowing remote code execution via crafted payloads. It leverages a padding oracle attack to bypass encryption and execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Primefaces (versions prior to 5.2.21, 5.3.8, or 6.0)

No auth needed

Prerequisites: Network access to the target · Primefaces application with vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Primetek Primefaces 5.x - Remote Code Execution

CRITICALby Moritz Nentwig

References (5)

Core 5

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://github.com/primefaces/primefaces/issues/1152

Broken Link, Third Party Advisory x_refsource_misc

https://cryptosense.com/weak-encryption-flaw-in-primefaces/

Exploit, Third Party Advisory x_refsource_misc

http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43733/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000486

Scores

CVSS v3 9.8

EPSS 0.9388

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:7

https://github.com/pimps/CVE-2017-1000486

https://github.com/mogwailabs/CVE-2017-1000486

https://github.com/cved-sources/cve-2017-1000486

+6 more repos

View in Library

Details

CISA KEV 2022-01-10

VulnCheck KEV 2021-01-05

InTheWild.io 2022-01-10

ENISA EUVD EUVD-2021-1339

CWE

CWE-326

Status published

Products (2)

org.primefaces/primefaces 5.0 - 6.0Maven

primetek/primefaces 4.0 - 4.0.24

Published Jan 03, 2018

KEV Added Jan 10, 2022

Tracked Since Feb 18, 2026