CVE-2018-1297

CRITICAL

Apache JMeter 2.x-3.x - Unauthenticated Remote Code Execution via Unsecured RMI Connection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1297. PoCs published by 48484848484848, Al1ex.

AI-analyzed exploit summary This repository provides a working proof-of-concept for CVE-2018-1297, a deserialization vulnerability in Apache JMeter 2.x and 3.x. It uses ysoserial to exploit RMI and achieve remote command execution, demonstrated by creating a file in the target container.

Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Exploits (2)

nomisec WORKING POC

by 48484848484848 · poc

https://github.com/48484848484848/Jmeter-CVE-2018-1297-

View Code ZIP pw:eip

This repository provides a working proof-of-concept for CVE-2018-1297, a deserialization vulnerability in Apache JMeter 2.x and 3.x. It uses ysoserial to exploit RMI and achieve remote command execution, demonstrated by creating a file in the target container.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache JMeter 2.x and 3.x

No auth needed

Prerequisites: Docker environment · ysoserial-0.0.6-SNAPSHOT-all.jar · Access to RMI port (1099)

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Al1ex · poc

https://github.com/Al1ex/CVE-2018-1297

View Code ZIP pw:eip

This PoC exploits CVE-2018-1297, a deserialization vulnerability in Apache JMeter's RMI service, by leveraging ysoserial to execute arbitrary commands. It includes a DNS callback for verification and a reverse shell payload for exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache JMeter (versions affected by CVE-2018-1297)

No auth needed

Prerequisites: ysoserial-0.0.6-SNAPSHOT-all.jar · access to target's RMI service on port 1099 · network connectivity to attacker's VPS for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Vendor Advisory mailing-list x_refsource_mlist

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.1799

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-319

Status published

Products (19)

apache/jmeter 2.1

apache/jmeter 2.2

apache/jmeter 2.3

apache/jmeter 2.3.1

apache/jmeter 2.3.2

apache/jmeter 2.3.3 (3 CPE variants)

apache/jmeter 2.3.4 (4 CPE variants)

apache/jmeter 2.4

apache/jmeter 2.5 (4 CPE variants)

apache/jmeter 2.5.1 (4 CPE variants)

... and 9 more

Published Feb 13, 2018

Tracked Since Feb 18, 2026