JbossAS - RCE (CVE-2017-12149)
651Exploiting IPs reported
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
CrowdSec analysis
CVE-2017-12149, a vulnerability in JbossAS shipped with Red Hat Enterprise Application Platform 5.2 allows remote code execution due to unsafe deserialization in the ReadOnlyAccessFilter's doFilter method. Attackers can exploit this flaw by sending crafted serialized data, potentially leading to full system compromise and unauthorized execution of arbitrary code on the affected server.
CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.
CrowdSec network data shows that most actors exploiting CVE-2017-12149 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec data also reveals a clear uptick in attacks involving CVE-2017-12149 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.
Attackers exploit JBoss deserialization vulnerabilities by sending crafted POST requests to endpoints like /invoker/readonly, /invoker/jmxinvokerservlet/, and /invoker/ejbinvokerservlet/ to achieve remote code execution.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.