CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 21, 2017
Published Date: September 15, 2017
Last Updated: February 06, 2025
Vendor: Apache Software Foundation
Product: Apache Struts
Description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Tags

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-10 00:00:00 UTC) Source
Seen in APT Campaigns: Yes (added 2025-05-30 00:00:00 UTC) (Earth Lamia) Source
Proof of Concept Available: Yes (added 2019-09-02 22:24:07 UTC) Source

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html https://struts.apache.org/docs/s2-052.html http://www.securitytracker.com/id/1039263 http://www.securityfocus.com/bid/100609 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 https://bugzilla.redhat.com/show_bug.cgi?id=1488482 https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://www.exploit-db.com/exploits/42627/ https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://cwiki.apache.org/confluence/display/WW/S2-052 https://security.netapp.com/advisory/ntap-20170907-0001/ https://www.kb.cert.org/vuls/id/112992

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_rest_xstream.rb	2025-04-29 11:01:23 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-9805.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

struts2_rest_xstream

Type: metasploit • Created: Unknown

Metasploit module for CVE-2017-9805

Shakun8/CVE-2017-9805

Type: github • Created: 2022-10-03 00:15:31 UTC • Stars: 3

CVE-2017-9805 POC

0xd3vil/CVE-2017-9805-Exploit

Type: github • Created: 2021-04-04 04:35:19 UTC • Stars: 1

CVE-2017-9805-Exploit

z3bd/CVE-2017-9805

Type: github • Created: 2021-03-05 21:57:11 UTC • Stars: 0

struts2-rest-showcase 2.5.10

jongmartinez/-CVE-2017-9805-

Type: github • Created: 2020-11-28 00:00:37 UTC • Stars: 1

Exploit script for Apache Struts2 REST Plugin XStream RCE (‎CVE-2017-9805)

wifido/CVE-2017-9805-Exploit

Type: github • Created: 2020-06-11 07:36:56 UTC • Stars: 0

Struts 2.5 - 2.5.12 REST Plugin XStream RCE

AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378

Type: github • Created: 2020-05-12 17:53:57 UTC • Stars: 0

UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit

Type: github • Created: 2019-09-02 22:24:07 UTC • Stars: 0

A script to Fuzz and and exploit Apache struts CVE-2017-9805

UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-

Type: github • Created: 2019-08-31 22:06:31 UTC • Stars: 1

Simple python script to fuzz site for CVE-2017-9805

0x00-0x00/-CVE-2017-9805

Type: github • Created: 2017-11-24 14:46:35 UTC • Stars: 16

Exploit script for Apache Struts2 REST Plugin XStream RCE (‎CVE-2017-9805)

Lone-Ranger/apache-struts-pwn_CVE-2017-9805

Type: github • Created: 2017-09-10 05:26:03 UTC • Stars: 5

An exploit for Apache Struts CVE-2017-9805

mazen160/struts-pwn_CVE-2017-9805

Type: github • Created: 2017-09-09 01:32:57 UTC • Stars: 250

An exploit for Apache Struts CVE-2017-9805

Timeline

CVE ID Reserved

June 21, 2017
CVE Published to Public

September 15, 2017
Proof of Concept Exploit Available

September 02, 2019
Added to KEVIntel

November 03, 2021
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025
Used in Earth Lamia APT Campaign

May 30, 2025