JbossAS - RCE (CVE-2017-12149)

CVE-2017-12149, a vulnerability in JbossAS shipped with Red Hat Enterprise Application Platform 5.2 allows remote code execution due to unsafe deserialization in the ReadOnlyAccessFilter's doFilter method. Attackers can exploit this flaw by sending crafted serialized data, potentially leading to full system compromise and unauthorized execution of arbitrary code on the affected server.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

CrowdSec network observations suggest that most exploitation of CVE-2017-12149 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2017-12149. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit JBoss deserialization vulnerabilities by sending crafted POST requests to endpoints like /invoker/readonly, /invoker/jmxinvokerservlet/, and /invoker/ejbinvokerservlet/ to achieve remote code execution.