CVE-2020-7961

Exploitation Summary

CVE-2020-7961 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 12 public exploits from researchers including Metasploit, mzer0one, ShutdownRepo, including a Metasploit module exploits/multi/http/liferay_java_unmarshalling. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a Java unmarshalling vulnerability in Liferay Portal via JSONWS to achieve remote code execution. It uses a gadget chain involving C3P0WrapperConnPool to trigger deserialization of malicious payloads.

Description

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Exploits (12)

exploitdb WORKING POC VERIFIED

by Metasploit · remotejava

https://www.exploit-db.com/exploits/48332

View Code ZIP pw:eip

This Metasploit module exploits a Java unmarshalling vulnerability in Liferay Portal via JSONWS to achieve remote code execution. It uses a gadget chain involving C3P0WrapperConnPool to trigger deserialization of malicious payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2

No auth needed

Prerequisites: Network access to the target Liferay Portal instance · Vulnerable version of Liferay Portal

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 119 stars

by mzer0one · remote

https://github.com/mzer0one/CVE-2020-7961-POC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-7961, an unauthenticated remote code execution vulnerability in Liferay Portal 7.2.0 CE GA1 via JSONWS deserialization. The exploit uses a C3P0WrapperConnPool gadget to trigger arbitrary code execution by serving a malicious serialized payload via an HTTP server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal 7.2.0 CE GA1

No auth needed

Prerequisites: Network access to the target Liferay Portal instance · Python environment with requests and BeautifulSoup libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 18 stars

by ShutdownRepo · remote

https://github.com/ShutdownRepo/CVE-2020-7961

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7961, targeting Liferay Portal's JSON web services API. The script automates the discovery of vulnerable endpoints and executes arbitrary commands via deserialization of malicious objects.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal (tested on 6.2 GA6)

No auth needed

Prerequisites: Network access to the target Liferay Portal instance · Exposed JSON web services API endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 5 stars

by thelostworldFree · remote

https://github.com/thelostworldFree/CVE-2020-7961-payloads

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7961, a deserialization vulnerability in Liferay Portal. The PoC includes a Java payload template (LifExp.java) and a Python script (poc.py) that automates the exploitation process by serving a malicious serialized object via an HTTP server and triggering the vulnerability through JSON web services.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal prior to 7.2.1 CE GA2

No auth needed

Prerequisites: Network access to the target Liferay Portal instance · Java and Python installed to compile and run the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by CrackerCat · remote

https://github.com/CrackerCat/CVE-2020-7961-Mass

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7961, a deserialization vulnerability in Liferay Portal. The exploit leverages a crafted serialized payload to achieve remote code execution (RCE) on vulnerable Liferay instances.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal (versions affected by CVE-2020-7961)

No auth needed

Prerequisites: Target must be running a vulnerable version of Liferay Portal · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by neverhavenamee · remote

https://github.com/neverhavenamee/CVE-2020-7961

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2020-7961, a deserialization vulnerability in Liferay Portal's JSON web services. It includes root cause analysis, code paths, and exploit mechanics, demonstrating a deep understanding of the vulnerability.

Classification

Writeup 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal (before 7.2.1 CE GA2)

Auth required

Prerequisites: Access to Liferay Portal instance · Valid authentication token

MITRE ATT&CK

T1189 - Drive-by Compromise T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec NO CODE

by manrop2702 · poc

https://github.com/manrop2702/CVE-2020-7961

View Code ZIP pw:eip

nomisec SUSPICIOUS

by pashayogi · poc

https://github.com/pashayogi/CVE-2020-7961-Mass

View Code ZIP pw:eip

The repository contains no exploit code or technical details, only a request to purchase a password for $10 via email. This is a clear social engineering lure.

Classification

Suspicious 100%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Alaa-abdulridha · poc

https://github.com/Alaa-abdulridha/POC-CVE-2020-7961-Token-iterate

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7961, a deserialization vulnerability in Liferay Portal. The PoC leverages a crafted serialized object to achieve remote code execution (RCE) by exploiting insecure deserialization in the JSONWS API.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal (likely versions before 7.2.1 CE GA2)

Auth required

Prerequisites: Access to a vulnerable Liferay Portal instance · Valid authentication token (p_auth)

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER

by Alaa-abdulridha · poc

https://github.com/Alaa-abdulridha/GLiferay-CVE-2020-7961-golang

View Code ZIP pw:eip

The repository contains a Go-based scanner for detecting CVE-2020-7961 in Liferay Portal. It checks for a deserialization vulnerability by sending a POST request to the `/api/jsonws/invoke` endpoint and analyzing the response for a specific error message.

Classification

Scanner 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal

No auth needed

Prerequisites: Target URL list in a file named 'result.txt'

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/random-robbie/liferay-pwn

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7961, a deserialization vulnerability in Liferay Portal. The exploit includes both a scanner (liferay.go) and an exploit script (liferay-exploit.py) that demonstrates remote code execution (RCE) by sending a crafted serialized payload to the vulnerable endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal (versions affected by CVE-2020-7961)

No auth needed

Prerequisites: Target URL with Liferay Portal instance · Network access to the vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Markus Wulftange, Thomas Etrillard, wvu · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/liferay_java_unmarshalling.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java unmarshalling vulnerability in Liferay Portal via JSONWS to achieve remote code execution. It uses a gadget chain involving C3P0WrapperConnPool to trigger deserialization of malicious payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2

No auth needed

Prerequisites: Network access to the target Liferay Portal instance · Vulnerable version of Liferay Portal

MITRE ATT&CK