Pivotal Spring Data REST and Spring Boot - RCE (CVE-2017-8046)

CVE-2017-8046 is a critical vulnerability in Pivotal Spring Data REST and Spring Boot that allows remote attackers to execute arbitrary Java code by sending maliciously crafted PATCH requests with JSON payloads. This flaw can be exploited without authentication, potentially leading to full system compromise, data theft, or service disruption.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2017-8046 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2017-8046 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2017-8046 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending malicious PATCH requests with crafted JSON payloads to Spring Data REST endpoints, often targeting URLs discovered via HAL links in API responses. The exploit leverages the application/json-patch+json content type and attempts to execute arbitrary Java code on the server.