CVE-2012-0391

CRITICALNVD 9.89.8
EchelonGraph scoreHIGH confidence

Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-01-21), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.

Triggered by: CISA KEV (actively exploited)
Sources: cisa_kev, epss, nvd
Trending — 3 sources updated this weekExploited in the wild
9.8
EchelonGraph verdictPatch nowTreat as an emergency — this is being exploited.
  • Actively exploited in the wild (CISA-KEV)
CISA-KEV: ExploitedEPSS: 75%CVSS: 9.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CVSS v3
9.8
EG Score
9.8(high)
EPSS
99.5%
KEV
⚠ Exploited

Published

January 8, 2012

Last Modified

April 22, 2026

Advisory Details (4)

Auto-updated May 12, 2026
🔬 Proof of concept available. No patch confirmed yet.
generic

S2-008 - Apache Struts 2 Wiki - Apache Software Foundation

http://struts.apache.org/2.x/docs/s2-008.html
generic

About Secunia Research | Flexera

http://secunia.com/advisories/47393
generic

[WW-3668] Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error. - ASF Jira

https://issues.apache.org/jira/browse/WW-3668
generic🟡 PoC Available

Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities - Multiple webapps Exploit

http://www.exploit-db.com/exploits/18329

Affected Packages

(2 across 1 ecosystem)
Maven(2)
PackageVulnerable rangeFixed inDependents
org.apache.struts:struts2-core2.0.11 ... 2.2.3 (16 versions)2.2.3.1
org.apache.struts.xwork:xwork-core2.2.1, 2.2.1.1, 2.2.32.2.3.1

Publicly available exploits

(3 references)

Working exploit code is in the public domain (1 Metasploit module) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • Exploit-DBEDB-18984✓ verified
    First seen Jun 5, 2012

    Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)

    Open source ↗
  • Exploit-DBEDB-18329✓ verified
    First seen Jan 6, 2012

    Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities

    Open source ↗
  • Metasploitexploit/multi/http/struts_code_exec_exception_delegator✓ verified
    First seen Jan 6, 2012

    Apache Struts Remote Command Execution

    Open source ↗

Frequently asked(6)

What is CVE-2012-0391?
CVE-2012-0391 is a critical vulnerability published on January 8, 2012. The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
When was CVE-2012-0391 disclosed?
CVE-2012-0391 was first published in the National Vulnerability Database on January 8, 2012, with the most recent update on April 22, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2012-0391 actively exploited?
Yes. CISA added CVE-2012-0391 to the Known Exploited Vulnerabilities catalog on January 21, 2022, affecting Apache Struts 2. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.
What is the CVSS score of CVE-2012-0391?
CVE-2012-0391 has a CVSS v3 base score of 9.8 (NVD).
Which products are affected by CVE-2012-0391?
CVE-2012-0391 affects Apache Struts 2. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.
How do I remediate CVE-2012-0391?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2012-0391, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2012-0391

Explore →

Is Your Infrastructure Affected by CVE-2012-0391?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.