CVE-2018-14324

CRITICAL

Oracle GlassFish Open Source Edition 5.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-14324. PoCs published by matejsmycka.

AI-analyzed exploit summary This repository contains a Java-based PoC exploit for CVE-2018-14324, which targets a JMX deserialization vulnerability. The code demonstrates how to connect to a JMX server and invoke operations on MBeans, potentially leading to remote code execution.

Description

The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product.

Exploits (1)

nomisec WORKING POC
by matejsmycka · poc
https://github.com/matejsmycka/CVE-2018-14324-Exploit

This repository contains a Java-based PoC exploit for CVE-2018-14324, which targets a JMX deserialization vulnerability. The code demonstrates how to connect to a JMX server and invoke operations on MBeans, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: JMX servers with DiagnosticCommand MBean enabled
Auth required
Prerequisites: Access to JMX server · Valid credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Issue Tracking x_refsource_confirm
https://github.com/eclipse-ee4j/glassfish/issues/22500
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041292

Scores

CVSS v3 9.8
EPSS 0.0438
EPSS Percentile 90.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
oracle/glassfish_server 5.0
Published Jul 16, 2018
Tracked Since Feb 18, 2026