CVE-2020-17530

CRITICAL KEV NUCLEI

Apache Struts 2 Forced Multi OGNL Evaluation

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2020-17530 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 13 public exploits from researchers including ka1n4t, wuzuowei, Al1ex, including a Metasploit module exploits/multi/http/struts2_multi_eval_ognl. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-17530 (Struts2 RCE via OGNL injection) by crafting a malicious payload that executes arbitrary commands (e.g., launching Calculator on macOS). The Python script sends the payload via HTTP POST to a vulnerable Struts2 endpoint.

Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Exploits (13)

nomisec WORKING POC 65 stars
by ka1n4t · remote
https://github.com/ka1n4t/CVE-2020-17530

This PoC exploits CVE-2020-17530 (Struts2 RCE via OGNL injection) by crafting a malicious payload that executes arbitrary commands (e.g., launching Calculator on macOS). The Python script sends the payload via HTTP POST to a vulnerable Struts2 endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.0.0 to 2.5.25
No auth needed
Prerequisites: Vulnerable Struts2 application exposed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 48 stars
by wuzuowei · remote
https://github.com/wuzuowei/CVE-2020-17530

This repository contains two Python scripts demonstrating exploitation of CVE-2020-17530 (Struts2 S2-061), a remote code execution vulnerability. The scripts include a command execution PoC and a reverse shell payload, both leveraging OGNL injection via crafted payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.0.0-2.5.25
No auth needed
Prerequisites: Target running vulnerable Struts2 version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 29 stars
by Al1ex · remote
https://github.com/Al1ex/CVE-2020-17530

This repository contains a working PoC for CVE-2020-17530 (S2-061), demonstrating remote code execution via OGNL injection in Apache Struts2. The exploit leverages Freemarker template utility to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by CVE-2020-17530)
No auth needed
Prerequisites: Vulnerable Apache Struts2 instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by fengziHK · remote
https://github.com/fengziHK/CVE-2020-17530-strust2-061

This PoC exploits CVE-2020-17530, a remote code execution vulnerability in Apache Struts2 due to unsafe OGNL expression evaluation. It constructs a malicious payload to execute arbitrary commands via a crafted URL parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 2.0.0-2.5.25
No auth needed
Prerequisites: Target running vulnerable Struts2 version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 5 stars
by uzzzval · poc
https://github.com/uzzzval/CVE-2020-17530

The repository contains only a README file with no exploit code or technical details. No actionable PoC or exploit logic is present.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by CyborgSecurity · remote
https://github.com/CyborgSecurity/CVE-2020-17530

This is a functional exploit for CVE-2020-17530, leveraging OGNL injection in Apache Struts to achieve remote code execution. The PoC constructs a malicious payload to execute arbitrary commands via a crafted HTTP request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.0.0 - 2.5.25
No auth needed
Prerequisites: Target running vulnerable Apache Struts version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 1 stars
by secpool2000 · poc
https://github.com/secpool2000/CVE-2020-17530

The repository contains a non-functional Python script with a placeholder print statement and a README describing CVE-2020-17530, an OGNL injection vulnerability in Apache Struts2. No actual exploit code is present.

Classification
Stub 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Apache Struts2 (versions affected by CVE-2020-17530)
No auth needed
Prerequisites: Apache Struts2 application with vulnerable configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fatkz · remote
https://github.com/fatkz/CVE-2020-17530

This is a Python-based exploit for CVE-2020-17530, an OGNL injection vulnerability in Apache Struts2/Tomcat. It constructs a malicious payload to execute arbitrary system commands via OGNL expression injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (with Tomcat)
No auth needed
Prerequisites: Target running vulnerable Apache Struts2/Tomcat · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by nth347 · poc
https://github.com/nth347/CVE-2020-17530

This PoC demonstrates CVE-2020-17530, a vulnerability in Apache Struts2 where improper validation of file uploads can lead to RCE. The provided code sets up a Tomcat server with a vulnerable Struts2 configuration, allowing for exploitation via malicious file uploads.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by CVE-2020-17530)
No auth needed
Prerequisites: Vulnerable Apache Struts2 instance · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by keyuan15 · remote
https://github.com/keyuan15/CVE-2020-17530

This repository contains a Python-based exploit for CVE-2020-17530, a remote command execution vulnerability in Apache Struts2 (S2-061). The exploit leverages OGNL injection to execute arbitrary commands on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by S2-061)
No auth needed
Prerequisites: Vulnerable Apache Struts2 instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by killmonday · remote
https://github.com/killmonday/CVE-2020-17530-s2-061

This repository contains a GUI-based exploit for CVE-2020-17530, a remote code execution vulnerability in Apache Struts2 (S2-061). The exploit leverages OGNL injection to execute arbitrary commands on the target system. The GUI allows users to input a target URL and command, then displays the output.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by S2-061)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts2 · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ludy-dev · remote
https://github.com/ludy-dev/freemarker_RCE_struts2_s2-061

This PoC exploits CVE-2020-17530, a remote code execution vulnerability in Apache Struts2 (S2-061) via Freemarker template injection. It constructs a malicious payload to bypass security restrictions and execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts2 (versions affected by S2-061)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache Struts2 · Freemarker template engine must be in use
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Spencer McIntyre, Matthias Kaiser, Alvaro Muñoz, ka1n4t · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_multi_eval_ognl.rb

This Metasploit module exploits CVE-2020-17530 and CVE-2019-0230 in Apache Struts 2 by leveraging forced OGNL evaluation to achieve remote code execution (RCE). It supports both direct command execution and staged payloads for Unix/Linux targets.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2 (versions affected by CVE-2020-17530 and CVE-2019-0230)
No auth needed
Prerequisites: Vulnerable Struts 2 application with exposed endpoints · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Struts 2.0.0-2.5.25 - Remote Code Execution
CRITICALby pikpikcu
Shodan: http.html:"apache struts" || http.title:"struts2 showcase" || http.html:"struts problem report"
FOFA: body="struts problem report" || title="struts2 showcase" || body="apache struts"

References (12)

Core 12
Core References
Vendor Advisory x_refsource_confirm
https://cwiki.apache.org/confluence/display/WW/S2-061
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN43969166/index.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210115-0005/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/12/6
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 9.8
EPSS 0.9437
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-04-12
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2022-1073
CWE
CWE-917
Status published
Products (14)
apache/struts 2.0.0 - 2.5.30
oracle/business_intelligence 12.2.1.3.0
oracle/business_intelligence 12.2.1.4.0
oracle/communications_diameter_intelligence_hub 8.0.0
oracle/communications_diameter_intelligence_hub 8.1.0
oracle/communications_diameter_intelligence_hub 8.2.0
oracle/communications_diameter_intelligence_hub 8.2.3
oracle/communications_policy_management 12.5.0
oracle/communications_pricing_design_center 12.0.0.3.0
oracle/financial_services_data_integration_hub 8.0.3
... and 4 more
Published Dec 11, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026