CVE-2017-7504

CRITICAL EXPLOITED

Red Hat JBoss Enterprise Application Platform < 4.0 and JBoss 4.x - Remote Code Execution via Untrusted Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-7504 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including wudidwo.

AI-analyzed exploit summary This PoC checks for the presence of CVE-2017-7504, a deserialization vulnerability in JBossMQ HTTP-IL servlet, by sending a GET request to the target endpoint and verifying the response. It does not exploit the vulnerability but confirms its existence.

Description

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

Exploits (1)

nomisec SCANNER
by wudidwo · poc
https://github.com/wudidwo/CVE-2017-7504-poc

This PoC checks for the presence of CVE-2017-7504, a deserialization vulnerability in JBossMQ HTTP-IL servlet, by sending a GET request to the target endpoint and verifying the response. It does not exploit the vulnerability but confirms its existence.

Classification
Scanner 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: JBoss 4.x with JBossMQ JMS
No auth needed
Prerequisites: Network access to the target JBoss server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1451441
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98595

Scores

CVSS v3 9.8
EPSS 0.2932
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-03-23
CWE
CWE-502
Status published
Products (2)
Red Hat, Inc./JBoss 4.x
redhat/jboss_enterprise_application_platform < 4.0
Published May 19, 2017
Tracked Since Feb 18, 2026