CVE-2017-12611

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache Struts 2.0.0-2.3.33 and 2.5-2.5.10.1 - Remote Code Execution via Freemarker Tag Expression

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-12611 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including brianwrf, qazbnm456, xbl3. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2017-12611, a remote code execution vulnerability in Apache Struts 2 due to improper handling of OGNL expressions. The payload constructs a malicious OGNL expression to execute arbitrary commands on the target system.

Description

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Exploits (6)

exploitdb WORKING POC VERIFIED
by brianwrf · pythonremotemultiple
https://www.exploit-db.com/exploits/44556

This exploit leverages CVE-2017-12611, a remote code execution vulnerability in Apache Struts 2 due to improper handling of OGNL expressions. The payload constructs a malicious OGNL expression to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2 (versions 2.3.5 - 2.3.31, 2.5 - 2.5.10)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts 2 · Target must have the REST plugin enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-12611.md

This repository provides a technical writeup and references for CVE-2017-12611 (S2-053), a vulnerability in Apache Struts2. It includes links to external analyses and PoC repositories but does not contain direct exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2
No auth needed
Prerequisites: Access to a vulnerable Struts2 instance
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 37 stars
by brianwrf · remote
https://github.com/brianwrf/S2-053-CVE-2017-12611

This repository contains a functional exploit for CVE-2017-12611, a remote code execution vulnerability in Apache Struts 2. The exploit leverages OGNL injection to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2 (versions affected by CVE-2017-12611)
No auth needed
Prerequisites: Target system running vulnerable Apache Struts 2 · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-12611.md

This repository provides a technical writeup and references for CVE-2017-12611 (S2-053), a vulnerability in Apache Struts2. It includes links to external analyses and PoC repositories but does not contain direct exploit code.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2
No auth needed
Prerequisites: Apache Struts2 installation with vulnerable configuration
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by tcetin704 · remote
https://github.com/tcetin704/CVE-2017-12611

This repository contains a functional OGNL injection payload for CVE-2017-12611, targeting Apache Struts 2. The payload executes arbitrary commands by manipulating OGNL context and ProcessBuilder, demonstrating RCE.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2 (versions 2.3.5 - 2.3.31, 2.5 - 2.5.10)
No auth needed
Prerequisites: Vulnerable Apache Struts 2 instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by zeynepsilao · remote
https://github.com/zeynepsilao/CVE-2017-12611_Exploit

This repository provides a working proof-of-concept exploit for CVE-2017-12611, a remote code execution vulnerability in Apache Struts 2.3.20.1. The exploit uses an OGNL injection payload to execute arbitrary commands on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.20.1
No auth needed
Prerequisites: Docker environment with vulnerable Apache Struts instance · Burp Suite for payload delivery
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Struts2 S2-053 - Remote Code Execution
CRITICALby pikpikcu
Shodan: http.html:"apache struts" || http.title:"struts2 showcase" || http.html:"struts problem report"
FOFA: body="struts problem report" || title="struts2 showcase" || body="apache struts"

References (5)

Core 5
Core References
Mitigation, Third Party Advisory x_refsource_confirm
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt
Exploit, Vendor Advisory x_refsource_confirm
https://struts.apache.org/docs/s2-053.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100829

Scores

CVSS v3 9.8
EPSS 0.9423
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-04-15
InTheWild.io 2018-03-07
CWE
CWE-20
Status published
Products (50)
apache/struts 2.0.1
apache/struts 2.0.2
apache/struts 2.0.3
apache/struts 2.0.4
apache/struts 2.0.5
apache/struts 2.0.6
apache/struts 2.0.7
apache/struts 2.0.8
apache/struts 2.0.9
apache/struts 2.0.10
... and 40 more
Published Sep 20, 2017
Tracked Since Feb 18, 2026