CVE-2019-11580

CRITICAL KEV RANSOMWARE NUCLEI

Atlassian Crowd 2.1.0-3.4.3 - Remote Code Execution via pdkinstall Plugin

Title source: llm

Exploitation Summary

CVE-2019-11580 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including jas502n, shelld3v, zeroauth, including a Metasploit module exploits/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-11580, targeting Atlassian Crowd's plugin upload functionality. The Python script sends a crafted multipart request to upload a malicious plugin, achieving remote code execution (RCE).

Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

Exploits (4)

nomisec WORKING POC 106 stars

by jas502n · remote

https://github.com/jas502n/CVE-2019-11580

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-11580, targeting Atlassian Crowd's plugin upload functionality. The Python script sends a crafted multipart request to upload a malicious plugin, achieving remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Crowd (versions before 3.4.5, 3.3.6, 3.2.9, 3.1.7, and 3.0.10)

Auth required

Prerequisites: Network access to the target Crowd instance · Valid credentials for an admin account

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by shelld3v · remote

https://github.com/shelld3v/CVE-2019-11580

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2019-11580, a vulnerability in Atlassian Crowd. The script sends a crafted multipart request to the vulnerable endpoint to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Crowd (versions affected by CVE-2019-11580)

No auth needed

Prerequisites: Network access to the target Atlassian Crowd instance · Vulnerable version of Atlassian Crowd

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by zeroauth · remote-auth

https://gitlab.com/zeroauth/cve-2019-11580_poc_exploit

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2019-11580, demonstrating remote code execution (RCE) via a malicious Atlassian Crowd plugin. The exploit involves uploading a plugin containing a servlet that executes arbitrary commands based on HTTP request parameters.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Crowd (versions 1.2.4-2.7.2 and 2.9.1-3.4.5)

Auth required

Prerequisites: Admin access to upload a plugin · Vulnerable Atlassian Crowd instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Paul, Corben Leo, Grant Willcox · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated plugin upload vulnerability in Atlassian Crowd (CVE-2019-11580) by uploading a malicious JAR file containing a servlet payload. The exploit leverages the pdkinstall development plugin to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Crowd

No auth needed

Prerequisites: Network access to the target · Target running vulnerable Atlassian Crowd instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution

CRITICALby dwisiswant0

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (4)

Core 4

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11580

Issue Tracking, Mitigation, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/CWD-5388

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108637

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9438

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2020-10-20

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2019-3250

Ransomware Use Confirmed

Status published

Products (1)

atlassian/crowd 2.1.0 - 3.0.5

Published Jun 03, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026