CVE-2018-12533

CRITICAL

JBoss RichFaces 3.1.0-3.3.4 - Unauthenticated Expression Language Injection via Paint2DResource ImageData Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2018-12533. PoCs published by llamaonsecurity, LucasKatashi, Pastea.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2018-12533, which targets a deserialization vulnerability in RichFaces 3.3.4. The exploit generates a malicious URL that, when accessed, executes arbitrary code via EL injection, creating a file in /tmp as a demonstration.

Description

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

Exploits (5)

nomisec WORKING POC 9 stars
by llamaonsecurity · poc
https://github.com/llamaonsecurity/CVE-2018-12533

This repository contains a working proof-of-concept exploit for CVE-2018-12533, which targets a deserialization vulnerability in RichFaces 3.3.4. The exploit generates a malicious URL that, when accessed, executes arbitrary code via EL injection, creating a file in /tmp as a demonstration.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces 3.3.4 (JBoss)
No auth needed
Prerequisites: Vulnerable JBoss server with RichFaces 3.3.4 deployed · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by LucasKatashi · poc
https://github.com/LucasKatashi/paint2die

This repository contains a functional exploit for CVE-2018-12533, a deserialization vulnerability in RichFaces. The exploit generates a malicious JAR payload to achieve remote code execution (RCE) on vulnerable RichFaces applications.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces (versions affected by CVE-2018-12533)
No auth needed
Prerequisites: Docker installed and running · SDKMAN installed · Python 3.x with required dependencies
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Pastea · poc
https://github.com/Pastea/CVE-2018-12533

This PoC exploits a deserialization vulnerability in RichFaces (CVE-2018-12533) by crafting a malicious serialized object that executes arbitrary EL expressions when deserialized. The exploit generates a base64-encoded payload for use in attacks against vulnerable applications.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: RichFaces (JBoss)
No auth needed
Prerequisites: Vulnerable RichFaces version · Ability to send crafted serialized data to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by mhagnumdw · poc
https://github.com/mhagnumdw/richfaces-vulnerability-cve-2018-12533-rf-14310

This repository contains a functional proof-of-concept exploit for CVE-2018-12533, a deserialization vulnerability in RichFaces. The exploit generates a malicious serialized object that, when deserialized, executes arbitrary commands via a JavaScript engine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces 3.3.4.Final
No auth needed
Prerequisites: Access to a vulnerable RichFaces application · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/thekalin/cve-2018-12533

This repository contains a functional exploit for CVE-2018-12533, a deserialization vulnerability in RichFaces 3.3.4. The exploit generates a malicious payload that, when processed by a vulnerable JBoss server, executes arbitrary commands via EL injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces 3.3.4 on JBoss 5.1.0.GA
No auth needed
Prerequisites: Vulnerable JBoss server with RichFaces 3.3.4 deployed · Network access to the target server
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2664
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041617
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2663
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104502
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2930
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Mar/21

Scores

CVSS v3 9.8
EPSS 0.7969
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-917
Status published
Products (2)
org.richfaces/richfaces-core 3.1.0Maven
redhat/richfaces 3.1.0 - 3.3.4
Published Jun 18, 2018
Tracked Since Feb 18, 2026