Pivotal Spring Data REST and Spring Boot - RCE (CVE-2017-8046)

CVE-2017-8046 is a critical vulnerability in Pivotal Spring Data REST and Spring Boot that allows remote attackers to execute arbitrary Java code by sending maliciously crafted PATCH requests with JSON payloads. This flaw can be exploited without authentication, potentially leading to full system compromise, data theft, or service disruption.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2017-8046 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2017-8046 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit this vulnerability by sending malicious PATCH requests with crafted JSON payloads to Spring Data REST endpoints, often targeting URLs discovered via HAL links in API responses. The exploit leverages the application/json-patch+json content type and attempts to execute arbitrary Java code on the server.