CVE-2019-17564

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache Dubbo 2.5.0-2.5.9, 2.6.0-2.6.7, 2.7.0-2.7.4 - Remote Code Execution via Unsafe Java Deserialization

Title source: llm

Exploitation Summary

CVE-2019-17564 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Dor-Tumarkin, fairyming, Jaky5155. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2019-17564, demonstrating a deserialization gadget chain in FastJson and Spring Framework to achieve RCE in Apache Dubbo 2.7.3. The gadget chain leverages TemplatesImpl and XString to trigger arbitrary command execution via Runtime.exec().

Description

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Exploits (6)

nomisec WORKING POC 16 stars

by Dor-Tumarkin · poc

https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2019-17564, demonstrating a deserialization gadget chain in FastJson and Spring Framework to achieve RCE in Apache Dubbo 2.7.3. The gadget chain leverages TemplatesImpl and XString to trigger arbitrary command execution via Runtime.exec().

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo 2.7.3

No auth needed

Prerequisites: Presence of FastJson and Spring Framework dependencies in the target environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WRITEUP 8 stars

by fairyming · poc

https://github.com/fairyming/CVE-2019-17564

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-17564, an Apache Dubbo deserialization vulnerability. It includes environment setup instructions, exploitation steps using ysoserial, and mitigation strategies.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo (2.7.0-2.7.4.1, 2.6.0-2.6.7, 2.5.x)

No auth needed

Prerequisites: Apache Dubbo with HTTP protocol enabled · Presence of gadget chains (e.g., commons-collections4)

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SUSPICIOUS 2 stars

by Jaky5155 · poc

https://github.com/Jaky5155/CVE-2019-17564

View Code ZIP pw:eip

The repository contains no exploit code or technical details, only repeated links to a video. This is characteristic of a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Apache Dubbo

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec STUB 1 stars

by Hu3sky · poc

https://github.com/Hu3sky/CVE-2019-17564

View Code ZIP pw:eip

The repository contains only a README with minimal information about CVE-2019-17564, lacking any exploit code or technical details. It is a placeholder with no functional content.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Apache Dubbo

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec STUB

by Exploit-3389 · poc

https://github.com/Exploit-3389/CVE-2019-17564

View Code ZIP pw:eip

The repository contains only a minimal README with no functional exploit code or technical details. It appears to be a placeholder or incomplete submission.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec STUB

by r00t4dm · poc

https://github.com/r00t4dm/CVE-2019-17564

View Code ZIP pw:eip

The repository contains only a README with a title and an image reference, lacking any exploit code or technical details. It appears to be a placeholder or incomplete submission.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Apache Dubbo 2.5.x-2.7.4 - Insecure Deserialization

CRITICALVERIFIEDby Khalid6468

FOFA: app="apache-dubbo"

References (2)

Core 2

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E

Vendor Advisory x_refsource_misc

https://advisory.checkmarx.net/advisory/CX-2020-4275

Scores

CVSS v3 9.8

EPSS 0.3556

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-05-10

InTheWild.io 2024-05-17

CWE

CWE-502

Status published

Products (2)

apache/dubbo 2.5.0 - 2.5.10

org.apache.dubbo/dubbo-rpc-http-invoker 2.5.0 - 2.7.5Maven

Published Apr 01, 2020

Tracked Since Feb 18, 2026