CVE-2017-9791

CRITICAL KEV NUCLEI

Apache Struts 2.1.x and 2.3.x - Remote Code Execution via ActionMessage Field Value

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-9791 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022. EIP tracks 10 public exploits from researchers including Metasploit, Vex Woo, qazbnm456, including a Metasploit module exploits/multi/http/struts2_code_exec_showcase. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-9791, a remote code execution vulnerability in Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin showcase. It sends a malicious POST request to execute arbitrary commands on the target system.

Description

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/44643

This Metasploit module exploits CVE-2017-9791, a remote code execution vulnerability in Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin showcase. It sends a malicious POST request to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.x
No auth needed
Prerequisites: Target must have the Struts 1 plugin showcase app deployed · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Vex Woo · pythonwebappsmultiple
https://www.exploit-db.com/exploits/42324

This exploit leverages CVE-2017-9791 (Apache Struts2 S2-048) by crafting an OGNL expression payload to execute arbitrary commands via Runtime.exec(). The payload bypasses security restrictions by manipulating OGNL context and clearing excluded classes/packages.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.5 - 2.3.31, 2.5 - 2.5.10
No auth needed
Prerequisites: Target running vulnerable Struts2 version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-9791.md

This repository provides a detailed writeup and references for CVE-2017-9791 (S2-048), a remote code execution vulnerability in Apache Struts2. It includes links to external PoCs and technical analyses but does not contain direct exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2
No auth needed
Prerequisites: vulnerable Apache Struts2 instance
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 27 stars
by dragoneeg · remote
https://github.com/dragoneeg/Struts2-048

This is a functional exploit for CVE-2017-9791, a remote code execution vulnerability in Apache Struts2. It leverages OGNL injection to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by CVE-2017-9791)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts2 · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-9791.md

This repository provides a detailed writeup and references for CVE-2017-9791 (S2-048), a remote code execution vulnerability in Apache Struts2. It includes links to functional PoCs and technical analyses but does not contain exploit code itself.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2
No auth needed
Prerequisites: Apache Struts2 with vulnerable configuration
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by IanSmith123 · remote
https://github.com/IanSmith123/s2-048

This repository contains a Python script and README demonstrating an OGNL injection exploit for CVE-2017-9791 (Struts2 S2-048). The PoC executes arbitrary commands via a crafted Content-Type header, leveraging Struts2's OGNL evaluation to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Struts 2.3.5 - 2.3.31, 2.5 - 2.5.10
No auth needed
Prerequisites: Target running vulnerable Struts2 version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-9791

This repository contains a functional Perl exploit for CVE-2017-9791, targeting Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin. The exploit sends a crafted POST request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.x (Struts 1 plugin)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts 2.3.x with the Struts 1 plugin enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-9791

This repository contains a functional Perl exploit for CVE-2017-9791, targeting Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin. The exploit sends a crafted POST request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.x (Struts 1 plugin)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts 2.3.x with the Struts 1 plugin enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by xfer0 · remote
https://github.com/xfer0/CVE-2017-9791

This is a Metasploit module for CVE-2017-9791, a remote code execution vulnerability in Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin showcase app. The exploit sends a malicious POST request to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.x (Struts 1 plugin showcase app)
No auth needed
Prerequisites: Target must have the Struts 2.3.x Struts 1 plugin showcase app deployed · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by icez <ic3z at qq dot com>, Nixawk, xfer0 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_code_exec_showcase.rb

This Metasploit module exploits CVE-2017-9791, a remote code execution vulnerability in Apache Struts 2.3.x via OGNL injection in the Struts 1 plugin showcase. It sends a malicious HTTP POST request with an OGNL payload to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.3.x (Struts 1 Plugin Showcase)
No auth needed
Prerequisites: Target must have the Struts 2 Showcase app with the Struts 1 plugin example deployed · Network access to the target's HTTP service (default port 8080)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Struts2 S2-053 - Remote Code Execution
CRITICALVERIFIEDby pikpikcu
Shodan: title:"Struts2 Showcase" || http.title:"struts2 showcase" || http.html:"struts problem report" || http.html:"apache struts"
FOFA: title="Struts2 Showcase" || title="struts2 showcase" || body="apache struts" || body="struts problem report"

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99484
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42324/
Mitigation, Vendor Advisory x_refsource_confirm
http://struts.apache.org/docs/s2-048.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038838
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44643/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180706-0002/

Scores

CVSS v3 9.8
EPSS 0.9893
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-02-10
VulnCheck KEV 2020-06-24
InTheWild.io 2019-05-29
CWE
CWE-20
Status published
Products (36)
apache/struts 2.3.1
apache/struts 2.3.1.1
apache/struts 2.3.1.2
apache/struts 2.3.3
apache/struts 2.3.4
apache/struts 2.3.4.1
apache/struts 2.3.7
apache/struts 2.3.8
apache/struts 2.3.12
apache/struts 2.3.14
... and 26 more
Published Jul 10, 2017
KEV Added Feb 10, 2022
Tracked Since Feb 18, 2026