The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
CVE-2017-9805
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 8.1 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.1
- EG Score
- 9.0(high)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
September 15, 2017
Last Modified
April 21, 2026
Advisory Details (8)
Auto-updated May 19, 2026Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2S2-052 - Apache Struts 2 Wiki - Apache Software Foundation
https://struts.apache.org/docs/s2-052.htmlS2-052 - Apache Struts 2 Wiki - Apache Software Foundation
https://cwiki.apache.org/confluence/display/WW/S2-0521488482 – (CVE-2017-9805) CVE-2017-9805 struts: RCE attack via REST plugin with XStream handler to deserialise XML requests
https://bugzilla.redhat.com/show_bug.cgi?id=1488482Apache Struts Statement on Equifax Security Breach - The ASF Blog
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifaxAffected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.struts:struts2-rest-plugin | 2.5 ... 2.5.8 (8 versions) | 2.5.13 | — |
Data Freshness Timeline
(refreshed 50× in last 7d / 214× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 327 total refreshes for this CVE.
- 2026-07-12 02:22 UTCEG score recompute
- 2026-07-11 22:44 UTCEG score recompute
- 2026-07-11 19:06 UTCEG score recompute
- 2026-07-11 15:28 UTCEG score recompute
- 2026-07-11 11:50 UTCEG score recompute
- 2026-07-11 08:12 UTCEG score recompute
- 2026-07-11 04:34 UTCEG score recompute
- 2026-07-11 00:56 UTCEG score recompute
- 2026-07-10 21:16 UTCEG score recompute
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 17:38 UTCEG score recompute
- 2026-07-10 13:59 UTCEG score recompute
- 2026-07-10 10:20 UTCEG score recompute
- 2026-07-10 06:41 UTCEG score recompute
- 2026-07-10 03:01 UTCEG score recompute
- 2026-07-09 23:22 UTCEG score recompute
- 2026-07-09 19:45 UTCEG score recompute
- 2026-07-09 19:06 UTCEPSS rescore
- 2026-07-09 16:06 UTCEG score recompute
- 2026-07-09 12:27 UTCEG score recompute
- 2026-07-09 08:49 UTCEG score recompute
- 2026-07-09 05:11 UTCEG score recompute
- 2026-07-09 01:33 UTCEG score recompute
- 2026-07-08 21:53 UTCEG score recompute
- 2026-07-08 18:16 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-08 14:36 UTCEG score recompute
- 2026-07-08 10:58 UTCEG score recompute
- 2026-07-08 07:19 UTCEG score recompute
- 2026-07-08 03:41 UTCEG score recompute
- 2026-07-08 00:03 UTCEG score recompute
- 2026-07-07 20:25 UTCEG score recompute
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:46 UTCEG score recompute
- 2026-07-07 13:08 UTCEG score recompute
- 2026-07-07 09:28 UTCEG score recompute
- 2026-07-07 05:49 UTCEG score recompute
- 2026-07-07 02:09 UTCEG score recompute
- 2026-07-06 22:29 UTCEG score recompute
- 2026-07-06 18:51 UTCEG score recompute
- 2026-07-06 15:11 UTCEG score recompute
- 2026-07-06 11:32 UTCEG score recompute
- 2026-07-06 07:52 UTCEG score recompute
- 2026-07-06 04:12 UTCEG score recompute
- 2026-07-06 00:31 UTCEG score recompute
- 2026-07-05 20:53 UTCEG score recompute
- 2026-07-05 17:14 UTCEG score recompute
- 2026-07-05 13:36 UTCEG score recompute
- 2026-07-05 09:57 UTCEG score recompute
- 2026-07-05 06:18 UTCEG score recompute
- 2026-07-05 02:39 UTCEG score recompute
- 2026-07-04 23:01 UTCEG score recompute
- 2026-07-04 19:23 UTCEG score recompute
- 2026-07-04 15:45 UTCEG score recompute
- 2026-07-04 12:05 UTCEG score recompute
- 2026-07-04 08:26 UTCEG score recompute
- 2026-07-04 04:46 UTCEG score recompute
- 2026-07-04 01:07 UTCEG score recompute
- 2026-07-03 21:27 UTCEG score recompute
- 2026-07-03 17:49 UTCEG score recompute
- 2026-07-03 14:10 UTCEG score recompute
- 2026-07-03 10:32 UTCEG score recompute
- 2026-07-03 06:52 UTCEG score recompute
- 2026-07-03 03:11 UTCEG score recompute
- 2026-07-02 23:32 UTCEG score recompute
- 2026-07-02 19:54 UTCEG score recompute
- 2026-07-02 16:16 UTCEG score recompute
- 2026-07-02 12:37 UTCEG score recompute
- 2026-07-02 08:56 UTCEG score recompute
- 2026-07-02 05:15 UTCEG score recompute
- 2026-07-02 01:37 UTCEG score recompute
- 2026-07-01 21:59 UTCEG score recompute
- 2026-07-01 19:16 UTCCISA KEV update
- 2026-07-01 18:20 UTCEG score recompute
- 2026-07-01 14:42 UTCEG score recompute
- 2026-07-01 11:04 UTCEG score recompute
- 2026-07-01 07:26 UTCEG score recompute
- 2026-07-01 03:48 UTCEG score recompute
- 2026-07-01 00:10 UTCEG score recompute
- 2026-06-30 20:31 UTCEG score recompute
- 2026-06-30 16:52 UTCEG score recompute
- 2026-06-30 13:14 UTCEG score recompute
- 2026-06-30 09:35 UTCEG score recompute
- 2026-06-30 05:56 UTCEG score recompute
- 2026-06-30 02:17 UTCEG score recompute
- 2026-06-29 22:39 UTCEG score recompute
- 2026-06-29 19:12 UTCCISA KEV update
- 2026-06-29 19:01 UTCEG score recompute
- 2026-06-29 15:23 UTCEG score recompute
- 2026-06-29 11:43 UTCEG score recompute
- 2026-06-29 08:05 UTCEG score recompute
- 2026-06-29 04:27 UTCEG score recompute
- 2026-06-29 00:46 UTCEG score recompute
- 2026-06-28 21:08 UTCEG score recompute
- 2026-06-28 17:30 UTCEG score recompute
- 2026-06-28 13:51 UTCEG score recompute
- 2026-06-28 10:13 UTCEG score recompute
- 2026-06-28 06:33 UTCEG score recompute
- 2026-06-28 02:56 UTCEG score recompute
- 2026-06-27 23:18 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (1 Metasploit module) (7 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCShakun8/CVE-2017-9805First seen Oct 3, 2022
CVE-2017-9805 POC
Open source ↗ - GitHub PoCchrisjd20/cve-2017-9805.pyFirst seen Dec 4, 2017
Better Exploit Code For CVE 2017 9805 apache struts
Open source ↗ - GitHub PoC0x00-0x00/-CVE-2017-9805First seen Nov 24, 2017
Exploit script for Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805)
Open source ↗ - GitHub PoCLone-Ranger/apache-struts-pwn_CVE-2017-9805First seen Sep 10, 2017
An exploit for Apache Struts CVE-2017-9805
Open source ↗ - GitHub PoCmazen160/struts-pwn_CVE-2017-9805First seen Sep 9, 2017
An exploit for Apache Struts CVE-2017-9805
Open source ↗ - GitHub PoChahwul/struts2-rce-cve-2017-9805-rubyFirst seen Sep 7, 2017
cve -2017-9805
Open source ↗ - Exploit-DBEDB-42627First seen Sep 6, 2017
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
Open source ↗ - GitHub PoCluc10/struts-rce-cve-2017-9805First seen Sep 6, 2017
CVE 2017-9805
Open source ↗ - Metasploitexploit/multi/http/struts2_rest_xstream✓ verifiedFirst seen Sep 5, 2017
Apache Struts 2 REST Plugin XStream RCE
Open source ↗ - Nucleihttp/cves/2017/CVE-2017-9805.yamlFirst seen Jan 1, 2017
Apache Struts2 S2-052 - Remote Code Execution
Open source ↗
Frequently asked(6)
What is CVE-2017-9805?
When was CVE-2017-9805 disclosed?
Is CVE-2017-9805 actively exploited?
What is the CVSS score of CVE-2017-9805?
Which products are affected by CVE-2017-9805?
How do I remediate CVE-2017-9805?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2017-9805
Is Your Infrastructure Affected by CVE-2017-9805?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.