CVE-2019-17558

HIGH KEV NUCLEI

Apache Solr 5.0.0-8.3.1 - Remote Code Execution via Velocity Template Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-17558 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 8 public exploits from researchers including Metasploit, @l3x_wong, zhzyker, including a Metasploit module exploits/multi/http/solr_velocity_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-17558 in Apache Solr <= 8.3.0 by enabling the Velocity Response Writer's params resource loader and executing arbitrary code via a custom Velocity template. It supports multiple platforms and payload types, including Unix, Linux, and Windows targets.

Description

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48338

This Metasploit module exploits CVE-2019-17558 in Apache Solr <= 8.3.0 by enabling the Velocity Response Writer's params resource loader and executing arbitrary code via a custom Velocity template. It supports multiple platforms and payload types, including Unix, Linux, and Windows targets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr <= 8.3.0
Auth required
Prerequisites: Solr core names · Basic authentication credentials (if enabled) · Network access to Solr admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by @l3x_wong · pythonwebappsjava
https://www.exploit-db.com/exploits/47572

This exploit leverages a Velocity template injection vulnerability in Apache Solr 8.2.0 to achieve remote code execution (RCE) by manipulating the configuration to enable arbitrary command execution via a crafted HTTP request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr 8.2.0
No auth needed
Prerequisites: Apache Solr 8.2.0 with exposed admin interface · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4,275 stars
by zhzyker · remote
https://github.com/zhzyker/exphub

The repository contains a working proof-of-concept exploit for CVE-2018-7600, a remote code execution vulnerability in Drupal. The exploit leverages the Drupalgeddon 2 vulnerability to execute arbitrary commands on vulnerable Drupal installations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drupal 6.x, Drupal 7.x < 7.58, Drupal 8.3 < 8.3.9, Drupal 8.4 < 8.4.6, Drupal 8.5 < 8.5.1
No auth needed
Prerequisites: Target must be running a vulnerable version of Drupal · Network access to the target
devstral-2 · analyzed Feb 15, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Ma1Dong · remote
https://github.com/Ma1Dong/Solr_CVE-2019-17558

This repository contains a functional Python exploit for CVE-2019-17558, a remote code execution vulnerability in Apache Solr. The exploit leverages the VelocityResponseWriter to execute arbitrary commands by manipulating Solr's configuration and template parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2019-17558)
No auth needed
Prerequisites: Target Solr instance accessible · Solr admin interface exposed · No authentication required
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by thelostworldFree · poc
https://github.com/thelostworldFree/CVE-2019-17558_Solr_Vul_Tool

The repository claims to be a tool for detecting and exploiting CVE-2019-17558 (Solr Velocity template injection RCE) but provides no actual exploit code. It only includes a README with generic descriptions and screenshots, directing users to download platform-specific JAR files from an external source.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Apache Solr (versions affected by CVE-2019-17558)
No auth needed
Prerequisites: Network access to vulnerable Solr instance · Velocity template processing enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by rogerzeferino · poc
https://github.com/rogerzeferino/Apache-Solr-RCE-CVE-2019-17558

This repository provides a detailed technical writeup of exploiting CVE-2019-17558, a Velocity Template Injection vulnerability in Apache Solr, including manual exploitation steps and analysis of why automated tools like Metasploit failed.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr (versions affected by CVE-2019-17558)
No auth needed
Prerequisites: Apache Solr instance with exposed admin interface · Velocity Response Writer enabled or exploitable to enable it
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by xkyrage · poc
https://github.com/xkyrage/Exploit_CVE-2019-17558-RCE

The repository contains a vague README with no actual exploit code, only a brief description mentioning URL encoding and HTTP requests. It lacks technical details about the vulnerability or functional PoC code.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Apache Solr 1.4
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by s00py, jas502n, AleWong · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/solr_velocity_rce.rb

This Metasploit module exploits CVE-2019-17558 in Apache Solr <= 8.3.0 by enabling the Velocity Response Writer's params resource loader and executing arbitrary code via a crafted Velocity template. It supports multiple targets (Java, Unix, Linux, Windows) and includes authentication handling.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr <= 8.3.0
Auth required
Prerequisites: Network access to Solr admin interface · Valid credentials if authentication is enabled · Identification of at least one Solr core
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Solr <=8.3.1 - Remote Code Execution
HIGHby pikpikcu,madrobot
Shodan: cpe:"cpe:2.3:a:apache:solr" || http.title:"apache solr" || http.title:"solr admin"
FOFA: title="solr admin" || title="apache solr"

References (30)

Core 30
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/SOLR-13971

Scores

CVSS v3 7.5
EPSS 0.9447
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-0320
CWE
CWE-74
Status published
Products (7)
apache/solr 5.0.0 - 7.7.3
oracle/primavera_unifier 16.1
oracle/primavera_unifier 16.2
oracle/primavera_unifier 18.8
oracle/primavera_unifier 19.12
oracle/primavera_unifier 17.7 - 17.12
org.apache.solr/solr-core 5.0.0 - 8.4.0Maven
Published Dec 30, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026