CVE-2019-12180

HIGH

SmartBear ReadyAPI 2.8.2-3.0.0 and SoapUI <5.5 - Remote Code Execution via Groovy Load Script

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12180. PoCs published by 0x-nope.

AI-analyzed exploit summary The repository provides a technical analysis of CVE-2019-12180, detailing how Groovy scripts embedded in SoapUI/ReadyAPI project files can execute arbitrary commands upon project load. It includes an example reverse shell payload but lacks functional exploit code.

Description

An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.

Exploits (1)

nomisec WRITEUP 4 stars
by 0x-nope · poc
https://github.com/0x-nope/CVE-2019-12180

The repository provides a technical analysis of CVE-2019-12180, detailing how Groovy scripts embedded in SoapUI/ReadyAPI project files can execute arbitrary commands upon project load. It includes an example reverse shell payload but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SoapUI 5.5 and earlier, ReadyAPI 3.0.0 and earlier
No auth needed
Prerequisites: Victim must open a malicious project file
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://lab.mediaservice.net/advisory/2020-04-readyapi-soapui.txt

Scores

CVSS v3 7.8
EPSS 0.0864
EPSS Percentile 92.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
smartbear/readyapi 2.8.2 - 3.0.0
smartbear/soapui < 5.5
Published Feb 05, 2020
Tracked Since Feb 18, 2026