Back to KEVs

CVE-2020-7961

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 24, 2020
Published Date: March 20, 2020
Last Updated: February 04, 2025
Vendor: n/a
Product: n/a
Description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

CVSS Scores

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-03-14 07:29:50 UTC) Source

References

https://portal.liferay.dev/learn/security/known-vulnerabilities https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271 http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html http://packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.html https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/liferay_java_unmarshalling.rb	2025-04-29 11:01:22 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-7961.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

liferay_java_unmarshalling

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-7961

manrop2702/CVE-2020-7961

Type: github • Created: 2024-03-14 07:29:50 UTC • Stars: 0

CrackerCat/CVE-2020-7961-Mass

Type: github • Created: 2021-04-09 01:50:14 UTC • Stars: 1

CVE-2020–7961 Mass exploit for Script Kiddies

ShutdownRepo/CVE-2020-7961

Type: github • Created: 2021-01-14 19:18:13 UTC • Stars: 17

Exploit script for CVE-2020-7961

shacojx/POC-CVE-2020-7961-Token-iterate

Type: github • Created: 2020-12-08 08:22:18 UTC • Stars: 3

POC-CVE-2020-7961-Token-iterate

shacojx/GLiferay-CVE-2020-7961-golang

Type: github • Created: 2020-10-17 08:32:51 UTC • Stars: 2

Detect vulns liferay CVE-2020-7961 by Nattroc (EOG Team)

shacojx/LifeRCEJsonWSTool-POC-CVE-2020-7961-Gui

Type: github • Created: 2020-06-23 03:01:57 UTC • Stars: 2

thelostworldFree/CVE-2020-7961-payloads

Type: github • Created: 2020-05-23 17:01:57 UTC • Stars: 5

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS)

mzer0one/CVE-2020-7961-POC

Type: github • Created: 2020-03-26 01:34:38 UTC • Stars: 116