CVE-2021-34371

CRITICAL

Neo4j < 3.4.18 and 3.5.0 - Remote Code Execution via RMI Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-34371. PoCs published by Christopher Ellis, zwjjustdoit, Andyyyyuan.

AI-analyzed exploit summary This exploit leverages Java deserialization in Neo4j's ShellServer RMI interface to achieve remote code execution by crafting a malicious payload using the Rhino gadget chain. It requires the shell server to be enabled and accessible via RMI.

Description

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Exploits (4)

exploitdb WORKING POC
by Christopher Ellis · javaremotejava
https://www.exploit-db.com/exploits/50170

This exploit leverages Java deserialization in Neo4j's ShellServer RMI interface to achieve remote code execution by crafting a malicious payload using the Rhino gadget chain. It requires the shell server to be enabled and accessible via RMI.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Neo4j 3.4.18
No auth needed
Prerequisites: Neo4j shell server enabled · RMI registry accessible · Rhino 1.7.9 dependency present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 32 stars
by zwjjustdoit · poc
https://github.com/zwjjustdoit/CVE-2021-34371.jar

This repository contains a JAR file exploiting CVE-2021-34371, a deserialization vulnerability in Neo4j's Rhino engine. The PoC leverages a gadget chain to achieve remote code execution (RCE) on vulnerable Neo4j instances.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Neo4j (specific version not specified)
No auth needed
Prerequisites: Vulnerable Neo4j instance with exposed deserialization endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github SUSPICIOUS
by Andyyyyuan · pythonpoc
https://github.com/Andyyyyuan/CVE-Poc/tree/main/CVE-2021-34371

The repository contains only a README with images and a reference to an external JAR file from another GitHub repository, lacking any actual exploit code or technical details. It appears to be a placeholder or lure rather than a functional PoC.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Neo4j (version unspecified)
No auth needed
Prerequisites: external JAR file download
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by tavgar · poc
https://github.com/tavgar/CVE-2021-34371

This repository contains a functional Python exploit for CVE-2021-34371, targeting Neo4j 3.4.18 via RMI deserialization. The exploit leverages a custom Rhino gadget from ysoserial to achieve remote code execution by interacting with the exposed shell service.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Neo4j 3.4.18
No auth needed
Prerequisites: Vulnerable Neo4j 3.4.18 instance with shell-server enabled · Access to the RMI registry on port 1337 · Java dependencies (neo4j-shell-3.4.18.jar, ysoserial-all.jar)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50170

Scores

CVSS v3 9.8
EPSS 0.6807
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
neo4j/neo4j < 3.4.18
org.neo4j/neo4j 0 - 3.5.0Maven
Published Aug 05, 2021
Tracked Since Feb 18, 2026