CrowdSec
5/10CrowdSec Score

JbossAS - RCE (CVE-2017-12149)

Published on04-10-2017
First seen on25-06-2025

474Exploiting IPs reported

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

CrowdSec analysis

CVE-2017-12149, a vulnerability in JbossAS shipped with Red Hat Enterprise Application Platform 5.2 allows remote code execution due to unsafe deserialization in the ReadOnlyAccessFilter's doFilter method. Attackers can exploit this flaw by sending crafted serialized data, potentially leading to full system compromise and unauthorized execution of arbitrary code on the affected server.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

CrowdSec network observations suggest that most exploitation of CVE-2017-12149 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2017-12149. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit JBoss deserialization vulnerabilities by sending crafted POST requests to endpoints like /invoker/readonly, /invoker/jmxinvokerservlet/, and /invoker/ejbinvokerservlet/ to achieve remote code execution.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.