The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
CVE-2012-0391
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-01-21), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 99.5%
- KEV
- ⚠ Exploited
Published
January 8, 2012
Last Modified
April 22, 2026
Advisory Details (4)
Auto-updated May 12, 2026S2-008 - Apache Struts 2 Wiki - Apache Software Foundation
http://struts.apache.org/2.x/docs/s2-008.html[WW-3668] Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error. - ASF Jira
https://issues.apache.org/jira/browse/WW-3668Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities - Multiple webapps Exploit
http://www.exploit-db.com/exploits/18329Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.struts:struts2-core | 2.0.11 ... 2.2.3 (16 versions) | 2.2.3.1 | — |
| org.apache.struts.xwork:xwork-core | 2.2.1, 2.2.1.1, 2.2.3 | 2.2.3.1 | — |
Publicly available exploits
(3 references)Working exploit code is in the public domain (1 Metasploit module) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-18984✓ verifiedFirst seen Jun 5, 2012
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)
Open source ↗ - Exploit-DBEDB-18329✓ verifiedFirst seen Jan 6, 2012
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
Open source ↗ - Metasploitexploit/multi/http/struts_code_exec_exception_delegator✓ verifiedFirst seen Jan 6, 2012
Apache Struts Remote Command Execution
Open source ↗
Frequently asked(6)
What is CVE-2012-0391?
When was CVE-2012-0391 disclosed?
Is CVE-2012-0391 actively exploited?
What is the CVSS score of CVE-2012-0391?
Which products are affected by CVE-2012-0391?
How do I remediate CVE-2012-0391?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2012-0391
Is Your Infrastructure Affected by CVE-2012-0391?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.