CVE-2017-12617

HIGH KEV NUCLEI LAB

Apache Tomcat 7.0.0-7.0.81, 8.0.0.RC1-8.0.46, 8.5.0-8.5.22, 9.0.0.M1-9.0.0 - Remote Code Execution via JSP Upload

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-12617 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 20 public exploits from researchers including Metasploit, intx0x80, cyberheartmi9, including a Metasploit module exploits/multi/http/tomcat_jsp_upload_bypass. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-12617 by uploading a malicious JSP file via a PUT request to a vulnerable Apache Tomcat server, then executing it to achieve remote code execution. The exploit leverages improper handling of trailing slashes in JSP file paths.

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Exploits (20)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/43008

This Metasploit module exploits CVE-2017-12617 by uploading a malicious JSP file via a PUT request to a vulnerable Apache Tomcat server, then executing it to achieve remote code execution. The exploit leverages improper handling of trailing slashes in JSP file paths.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Network access to the Tomcat server · Tomcat server with PUT method enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by intx0x80 · pythonwebappsjsp
https://www.exploit-db.com/exploits/42966

This exploit leverages CVE-2017-12617, a PUT method vulnerability in Apache Tomcat, to upload a malicious JSP file for remote code execution. It includes functionality to check for vulnerability, upload a webshell, and execute commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Tomcat with PUT method enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 394 stars
by cyberheartmi9 · remote
https://github.com/cyberheartmi9/CVE-2017-12617

This repository contains a Python script that exploits CVE-2017-12617, a critical RCE vulnerability in Apache Tomcat. The script can check for vulnerability, upload a JSP webshell, and execute commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47, and 7.0.82
No auth needed
Prerequisites: HTTP PUTs enabled (read-only initialization parameter of the Default servlet set to false) · WebDAV servlet enabled with readonly set to false
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by LongWayHomie · remote
https://github.com/LongWayHomie/CVE-2017-12617

This is a Python 3 exploit for CVE-2017-12617, which leverages misconfigured PUT options in Apache Tomcat to upload a JSP reverse shell. The exploit establishes a reverse shell connection to a listener using netcat.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.0.M1 - 9.0.0, 8.5.0-8.5.22, 8.0.0.RC1 - 8.0.46, 7.0.0 - 7.0.81
No auth needed
Prerequisites: Tomcat with PUT method enabled · Network access to target · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ygouzerh · remote
https://github.com/ygouzerh/CVE-2017-12617

This PoC demonstrates CVE-2017-12617, a PUT method vulnerability in Apache Tomcat, allowing an attacker to upload a JSP web shell for remote command execution. The attack script uses cURL to upload a malicious JSP file to the server.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Apache Tomcat server with PUT method enabled · Network access to the target server · cURL installed on the attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-12617

This repository contains a functional Perl exploit for CVE-2017-12617, which allows JSP file upload and remote code execution on vulnerable Apache Tomcat versions via a crafted HTTP PUT request. The exploit demonstrates the vulnerability by uploading a malicious JSP payload to the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8
No auth needed
Prerequisites: HTTP PUTs enabled on the target server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jptr218 · remote
https://github.com/jptr218/tc_hack

This PoC exploits CVE-2017-12617 in Apache Tomcat by uploading a malicious JSP file via the PUT method, enabling remote command execution. It establishes an interactive shell by sending commands through HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with PUT method enabled)
No auth needed
Prerequisites: PUT method enabled on Apache Tomcat · Network access to target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by tyranteye666 · remote
https://github.com/tyranteye666/tomcat-cve-2017-12617

This is a Python3-compatible exploit for CVE-2017-12617, which allows JSP file upload bypass and remote code execution on vulnerable Apache Tomcat versions. The script includes functionality to check for vulnerability, upload a webshell, and execute commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8
No auth needed
Prerequisites: Network access to the target Tomcat server · PUT method enabled on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/Apache/Tomcat/CVE-2017-12617

The repository contains a functional Python script that exploits CVE-2017-12617, a vulnerability in Apache Tomcat allowing JSP file upload via HTTP PUT when partial PUT support is enabled. The script uploads a JSP payload and verifies its execution by fetching the uploaded file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions with partial PUT support enabled)
No auth needed
Prerequisites: Apache Tomcat with partial PUT support enabled · Network access to the target server
devstral-2 · analyzed May 22, 2026 Full analysis →
github WORKING POC
by manus-use · postscriptpoc
https://github.com/manus-use/cve-pocs/tree/main/CVE-2017-12617

This repository contains a functional PoC for CVE-2017-12617, a PUT method vulnerability in Apache Tomcat. It includes a Dockerized victim environment and an attack script that uploads a web shell via a crafted PUT request, demonstrating remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat 9.0.11
No auth needed
Prerequisites: Docker · cURL · Apache Tomcat 9.0.11
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by DevaDJ · remote
https://github.com/DevaDJ/CVE-2017-12617

This is a functional exploit for CVE-2017-12617, targeting Apache Tomcat with HTTP PUTs enabled. It allows for arbitrary file upload and remote code execution via a JSP webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47, and 7.0.82
No auth needed
Prerequisites: HTTP PUT method enabled on the target Tomcat server · Default servlet configured with readonly=false or WebDAV servlet enabled with readonly=false
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by yZee00 · poc
https://github.com/yZee00/CVE-2017-12617

This repository contains a Python3-based exploit for CVE-2017-12617, which targets Apache Tomcat's PUT method vulnerability to achieve remote code execution (RCE) via JSP file upload. The script includes functionality to check for vulnerability, upload a webshell, and execute commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Tomcat · PUT method must be enabled on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by scirusvulgaris · remote
https://github.com/scirusvulgaris/CVE-2017-12617

This repository contains a Python-based exploit for CVE-2017-12617, a critical RCE vulnerability in Apache Tomcat. The exploit leverages HTTP PUT requests to upload malicious JSP files when the 'readonly' parameter is set to false, enabling remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47, and 7.0.82
No auth needed
Prerequisites: HTTP PUTs enabled (read-only initialization parameter of the Default servlet set to false) · Network access to the target Tomcat server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by K3ysTr0K3R · remote
https://github.com/K3ysTr0K3R/CVE-2017-12617-EXPLOIT

This is a Python-based exploit for CVE-2017-12617, targeting Apache Tomcat's PUT method vulnerability to upload a JSP reverse shell. The payload establishes a reverse shell connection to a specified listener.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Target must be vulnerable to CVE-2017-12617 · Network access to the target · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-12617

This repository contains a functional Perl script that exploits CVE-2017-12617, a vulnerability in Apache Tomcat allowing JSP file upload via a crafted PUT request, leading to remote code execution. The script demonstrates the exploit by sending a malicious JSP payload to the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat < 9.0.1, < 8.5.23, < 8.0.47, < 7.0.8
No auth needed
Prerequisites: HTTP PUTs enabled on the target server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by qiantu88 · remote
https://github.com/qiantu88/CVE-2017-12617

This repository contains a Python script that exploits CVE-2017-12617, a remote code execution vulnerability in Apache Tomcat. The script can check for vulnerability, upload a JSP webshell, and execute commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47, and 7.0.82
No auth needed
Prerequisites: HTTP PUTs enabled (read-only initialization parameter of the Default servlet set to false) or WebDAV servlet enabled with read-only set to false
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by devcoinfet · remote
https://github.com/devcoinfet/CVE-2017-12617

This PoC exploits CVE-2017-12617, a PUT method vulnerability in Apache Tomcat, to upload a JSP shell. It checks for vulnerable servers by identifying the 'Apache-Coyote/1.1' header and attempts to upload a malicious JSP file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with PUT method enabled)
No auth needed
Prerequisites: Target server running vulnerable Apache Tomcat · PUT method enabled on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/yZeetje/CVE-2017-12617

This repository contains a functional Python3 exploit for CVE-2017-12617, which targets Apache Tomcat's PUT method vulnerability to achieve remote code execution (RCE) via JSP file upload. The script includes payload generation, vulnerability checking, and an interactive shell for command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: PUT method enabled on the target server · Network access to the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/zi0Black/POC-CVE-2017-12615-or-CVE-2017-12717

This repository contains a functional Python exploit for CVE-2017-12615 and CVE-2017-12617, targeting Apache Tomcat. The exploit leverages the PUT method to upload a malicious JSP file, enabling remote code execution (RCE) via a crafted payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12615 and CVE-2017-12617)
No auth needed
Prerequisites: Target server with vulnerable Tomcat version · Network access to the Tomcat server · PUT method enabled on the server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb

This Metasploit module exploits CVE-2017-12617, a vulnerability in Apache Tomcat that allows unauthorized JSP file upload via a PUT request bypass, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2017-12617)
No auth needed
Prerequisites: Network access to Tomcat server · Tomcat configured with default or vulnerable settings
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Tomcat - Remote Code Execution
HIGHVERIFIEDby pussycat0x
Shodan: html:"Apache Tomcat" || http.title:"apache tomcat" || http.html:"apache tomcat" || cpe:"cpe:2.3:a:apache:tomcat"
FOFA: body="apache tomcat" || title="apache tomcat"

References (45)

Core 45
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3113
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3080
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0269
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0270
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0271
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2939
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0465
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0268
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3114
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039552
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100954
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0275
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0466
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3081
Third Party Advisory x_refsource_confirm
https://support.f5.com/csp/article/K53173544
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42966/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3665-1/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43008/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20171018-0002/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180117-0002/

Scores

CVSS v3 8.1
EPSS 0.9438
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull tomcat:8.5.0
docker pull tomcat:9.0.11
+15 more repos

Details

CISA KEV 2022-03-25
VulnCheck KEV 2019-04-17
InTheWild.io 2019-04-23
ENISA EUVD EUVD-2022-5811
CWE
CWE-434
Status published
Products (50)
apache/tomcat 7.0.0 - 7.0.82
Apache Software Foundation/Apache Tomcat 7.0.0 to 7.0.81
Apache Software Foundation/Apache Tomcat 8.0.0.RC1 to 8.0.46
Apache Software Foundation/Apache Tomcat 8.5.0 to 8.5.22
Apache Software Foundation/Apache Tomcat 9.0.0.M1 to 9.0.0
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
canonical/ubuntu_linux 18.04
debian/debian_linux 7.0
... and 40 more
Published Oct 04, 2017
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026