CVE-2020-10199: Nexus Repository Manager Java EL Injection RCE

Exploitation Summary

CVE-2020-10199 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 10 public exploits from researchers including 1F98D, Metasploit, zhzyker, including a Metasploit module exploits/linux/http/nexus_repo_manager_el_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a Java EL injection vulnerability in Sonatype Nexus Repository Manager 3.21.1 and below to achieve remote code execution. It authenticates as an admin user and sends a maliciously crafted payload to execute arbitrary commands via the `/service/rest/beta/repositories/go/group` endpoint.

Description

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

Exploits (10)

exploitdb WORKING POC VERIFIED

by 1F98D · pythonwebappsjava

https://www.exploit-db.com/exploits/49385

View Code ZIP pw:eip

This exploit leverages a Java EL injection vulnerability in Sonatype Nexus Repository Manager 3.21.1 and below to achieve remote code execution. It authenticates as an admin user and sends a maliciously crafted payload to execute arbitrary commands via the `/service/rest/beta/repositories/go/group` endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sonatype Nexus Repository Manager 3.21.1 and below

Auth required

Prerequisites: Valid admin credentials · Network access to the target server

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/48343

View Code ZIP pw:eip

This Metasploit module exploits a Java EL injection vulnerability in Nexus Repository Manager to achieve remote code execution. It authenticates with provided credentials, crafts a malicious EL payload, and executes arbitrary commands via a command stager.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nexus Repository Manager <= 3.21.1

Auth required

Prerequisites: Valid Nexus credentials · Network access to the target

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 43 stars

by zhzyker · remote-auth

https://github.com/zhzyker/CVE-2020-10199_POC-EXP

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2020-10199, a remote command execution vulnerability in Nexus Repository Manager 3.x. The exploit leverages deserialization via BCEL (Byte Code Engineering Library) to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1

Auth required

Prerequisites: Valid credentials for the Nexus Repository Manager · Network access to the target system

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 35 stars

by jas502n · remote-auth

https://github.com/jas502n/CVE-2020-10199

View Code ZIP pw:eip

This repository provides proof-of-concept exploits for CVE-2020-10199, CVE-2020-10204, and CVE-2020-11444 in Nexus Repository Manager 3. It includes command injection payloads for RCE and details on privilege escalation and authentication bypass vulnerabilities.

Classification

Working Poc 90%

Attack Type

Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Nexus Repository Manager 3 <= 3.21.2

Auth required

Prerequisites: Access to vulnerable Nexus instance · Valid credentials for some endpoints

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 31 stars

by aleenzz · remote-auth

https://github.com/aleenzz/CVE-2020-10199

View Code ZIP pw:eip

This PoC exploits CVE-2020-10199, a remote code execution vulnerability in Sonatype Nexus Repository Manager 3. The exploit leverages a deserialization flaw via BCEL (Byte Code Engineering Library) to execute arbitrary commands on the target system.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sonatype Nexus Repository Manager 3

Auth required

Prerequisites: Valid credentials for authentication · Network access to the target system

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 25 stars

by magicming200 · poc

https://github.com/magicming200/CVE-2020-10199_CVE-2020-10204

View Code ZIP pw:eip

This repository contains a Java-based GUI tool for detecting CVE-2020-10199 and CVE-2020-10204 vulnerabilities in Sonatype Nexus Repository Manager. It requires authenticated access and uses randomized payloads for stability.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sonatype Nexus Repository Manager OSS/Pro <=3.21.1

Auth required

Prerequisites: Authenticated low-privilege account (CVE-2020-10199) · Authenticated admin account (CVE-2020-10204) · Valid cookie and CSRF token

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 19 stars

by wsfengfan · infoleak

https://github.com/wsfengfan/CVE-2020-10199-10204

View Code ZIP pw:eip

This PoC demonstrates CVE-2020-10199 and CVE-2020-10204, which are EL injection vulnerabilities in Sonatype Nexus Repository Manager. The script checks for the presence of these vulnerabilities by injecting a test string and verifying its reflection in the response.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Sonatype Nexus Repository Manager

Auth required

Prerequisites: Valid session cookie · CSRF token · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by finn79426 · remote-auth

https://github.com/finn79426/CVE-2020-10199

View Code ZIP pw:eip

This repository provides a working proof-of-concept exploit for CVE-2020-10199, targeting Sonatype Nexus Repository Manager OSS 3.20.1-01. It demonstrates remote code execution via Java EL injection and includes a BCEL payload to bypass security restrictions, ultimately achieving a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sonatype Nexus Repository Manager OSS 3.20.1-01

Auth required

Prerequisites: Authenticated session with valid NX-ANTI-CSRF-TOKEN and NXSESSIONID · Access to the target's REST API endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by hugosg97 · remote-auth

https://github.com/hugosg97/CVE-2020-10199-Nexus-3.21.01

View Code ZIP pw:eip

This exploit leverages an authenticated remote code execution vulnerability in Sonatype Nexus 3.21.01 by injecting a malicious expression into the repository configuration, which executes arbitrary commands via Java Runtime.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sonatype Nexus Repository Manager 3.21.01

Auth required

Prerequisites: Valid credentials for Nexus Repository Manager · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Alvaro Muñoz, wvu · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nexus_repo_manager_el_injection.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java EL injection vulnerability in Nexus Repository Manager to achieve remote code execution. It authenticates with provided credentials, crafts a malicious EL payload, and executes arbitrary commands via a command stager.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nexus Repository Manager <= 3.21.1

Auth required

Prerequisites: Valid Nexus credentials · Network access to the target

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Sonatype Nexus Repository Manager 3 - Remote Code Execution

HIGHby rootxharsh,iamnoooob,pdresearch

FOFA: title="nexus repository manager"

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_confirm

https://support.sonatype.com/hc/en-us/articles/360044882533

Patch, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html

Third Party Advisory x_refsource_misc

https://cwe.mitre.org/data/definitions/917.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199

CVE-2020-10199

Nexus Repository Manager Java EL Injection RCE

Exploitation Summary

Description

Exploits (10)

Nuclei Templates (1)

References (5)

Scores

CISA SSVC

Details