CVE-2017-12629

CRITICAL IN THE WILD NUCLEI

Apache Solr < 7.1 - Remote Code Execution via XXE in XML Query Parser

Title source: llm

Exploitation Summary

CVE-2017-12629 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 3 public exploits from researchers including Michael Stepankin & Olga Barinova, dyeat, captain-woof. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates two vulnerabilities in Apache Solr: an XXE vulnerability (CVE-2017-12629) allowing arbitrary HTTP requests and a remote code execution vulnerability via the RunExecutableListener. The PoC includes detailed steps to exploit both vulnerabilities, including chaining them for RCE without direct access to the Solr server.

Description

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Michael Stepankin & Olga Barinova · textwebappsxml

https://www.exploit-db.com/exploits/43009

View Code ZIP pw:eip

This exploit demonstrates two vulnerabilities in Apache Solr: an XXE vulnerability (CVE-2017-12629) allowing arbitrary HTTP requests and a remote code execution vulnerability via the RunExecutableListener. The PoC includes detailed steps to exploit both vulnerabilities, including chaining them for RCE without direct access to the Solr server.

Classification

Working Poc 100%

Attack Type

Rce | Ssrf | Xxe

Complexity

Moderate

Reliability

Reliable

Target: Apache Solr (versions prior to fix)

No auth needed

Prerequisites: Network access to Solr server · Ability to send crafted HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1200 - Hardware Additions T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Apache/Solr/CVE-2017-12629

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2017-12629 in Apache Solr by adding a malicious RunExecutableListener to achieve remote code execution via a reverse shell. The script sends crafted JSON payloads to the Solr config and update endpoints to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Solr (versions affected by CVE-2017-12629)

No auth needed

Prerequisites: Network access to the Solr instance on port 8983 · Solr instance with the vulnerable configuration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by captain-woof · poc

https://github.com/captain-woof/cve-2017-12629

View Code ZIP pw:eip

This PoC exploits CVE-2017-12629 in Apache Solr by leveraging XXE and the RunExecutableListener class to achieve remote code execution. It supports multiple exfiltration methods and encoding formats for command output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Solr before 7.1 with Apache Lucene before 7.1

No auth needed

Prerequisites: Access to a vulnerable Apache Solr instance · Network connectivity for exfiltration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204.001 - Malicious Link T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Solr <= 7.1 - XML Entity Injection

CRITICALby dwisiswant0

Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"

FOFA: title="solr admin" || title="apache solr"

References (24)

Core 24

Core References

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0003

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3123

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0005

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3244

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3124

Mailing List, Vendor Advisory mailing-list x_refsource_mlist

http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4124

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4259-1/

Third Party Advisory x_refsource_misc

https://twitter.com/ApacheSolr/status/918731485611401216

Third Party Advisory x_refsource_misc

https://twitter.com/searchtools_avi/status/918904813613543424

Mailing List, Third Party Advisory x_refsource_misc

http://openwall.com/lists/oss-security/2017/10/13/1

Third Party Advisory x_refsource_misc

https://twitter.com/joshbressers/status/919258716297420802

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r26c996b068ef6c5e89aa59acb769025cfd343a08e63fbe9e7f3f720f%40%3Coak-issues.jackrabbit.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3451

Exploit, Mailing List, Vendor Advisory mailing-list x_refsource_mlist

https://s.apache.org/FJDl

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0002

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/101261

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:0004

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3452

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/01/msg00028.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43009/

Scores

CVSS v3 9.8

EPSS 0.9389

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2021-04-18

CWE

CWE-611

Status published

Products (13)

apache/solr 5.5.0 - 5.5.4

canonical/ubuntu_linux 16.04

debian/debian_linux 7.0

debian/debian_linux 8.0

debian/debian_linux 9.0

n/a/Apache Solr before 7.1 with Apache Lucene before 7.1 Apache Solr before 7.1 with Apache Lucene before 7.1

n/a/Apache Solr before 7.1 with Apache Lucene before 7.1 lucene-solr - 5.3.1-redhat-2

n/a/Apache Solr before 7.1 with Apache Lucene before 7.1 lucene-solr - 7.1.0

n/a/Apache Solr before 7.1 with Apache Lucene before 7.1 lucene-solr 7.2.0

n/a/Apache Solr before 7.1 with Apache Lucene before 7.1 lucene-solr 8.0.0

... and 3 more

Published Oct 14, 2017

Tracked Since Feb 18, 2026