CVE-2012-1723
CVE-2012-1723 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03). The underlying weakness is classified as CWE-284.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 94% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-03)
- EU (EUVD) id: EUVD-2012-1733
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-03)
- Weakness: CWE-284
- Affected product: Oracle Jdk
- Published:
- Last modified:
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
CVE-2012-1723: Oracle Java SE Hotspot Remote Code Execution (CISA KEV)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2012-1723 |
| Published | 2012-06-16 |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-284 — Improper Access Control |
| EPSS | 93.7% (0.99828 percentile) |
| KEV | Yes (added 2022-03-03) |
| EU Exploited | Yes (since 2022-03-03) |
| Vendor | Oracle |
| Component | Java Runtime Environment (JRE) — Hotspot |
Summary
CVE-2012-1723 is a critical, unspecified vulnerability in the Hotspot component of Oracle Java SE. It enables remote, unauthenticated attackers to compromise the confidentiality, integrity, and availability of target systems. The vulnerability has been actively exploited in the wild and is catalogued in CISA's Known Exploited Vulnerabilities (KEV) list.
Background
In June 2012, Oracle released its Critical Patch Update (CPU) for Java SE, addressing multiple security flaws. CVE-2012-1723 was among the most severe, residing in the Hotspot Just-In-Time (JIT) compiler within the Java Runtime Environment. Hotspot is responsible for converting Java bytecode into native machine code at runtime; flaws in this component can undermine the entire Java security model, including sandbox protections.
Root Cause
CWE-284: Improper Access Control
The precise technical mechanism was not publicly disclosed by Oracle at the time of disclosure, and no independent root-cause analysis has been published in the references available. The vulnerability is classified as an unspecified issue in the Hotspot component. From the CVSS metrics (network attack vector, low complexity, no authentication required), the flaw likely allows a remote attacker to bypass Java security manager restrictions or memory-safety boundaries, leading to arbitrary code execution within the context of the JRE process.
Impact
- CVSS v2: 10.0 — Complete impact across confidentiality, integrity, and availability.
- CVSS v3.1: 9.8 CRITICAL — Network exploitable, requires no privileges, no user interaction, and results in high impact across all three pillars.
Successful exploitation could allow a remote attacker to execute arbitrary code, read sensitive data, modify system state, or cause a denial of service. Because Java applets and Web Start applications were commonly executed in browsers during this era, drive-by exploitation via malicious web pages was a realistic attack vector.
Exploitation Walkthrough
Ethics caveat: This section describes the attack surface and defensive context only. No weaponized exploit code is provided. Researchers and defenders should use this information to prioritise patching and detection, not offensive operations.
- Delivery vector: A malicious Java applet or Web Start application hosted on a compromised or attacker-controlled website.
- Trigger: The victim loads the page with a vulnerable JRE installed and the Java browser plugin enabled.
- Mechanism: The crafted applet leverages the Hotspot flaw to escape the Java sandbox and execute native code with the privileges of the JRE process (typically the logged-on user).
- Result: Full system compromise, data exfiltration, or malware installation.
Defenders should assume that reliable exploit code exists in the wild given the EPSS score of 93.7% and KEV status.
Affected and Patched Versions
Affected:
- Oracle Java SE 7 Update 4 and earlier
- Oracle Java SE 6 Update 32 and earlier
- Oracle Java SE 5 Update 35 and earlier
- Oracle Java SE 1.4.2_37 and earlier
Red Hat IcedTea6 and openSUSE Tumbleweed (java-1_7_0-openjdk < 1.7.0.121-1.1) distributions were also impacted.
Patched:
- Oracle Java SE 7 Update 5 and later
- Oracle Java SE 6 Update 33 and later
- Oracle Java SE 5 Update 36 and later
Remediation
- Upgrade immediately: Remove all affected Java versions and install the latest supported release from Oracle or an open-source distribution (OpenJDK).
- Disable Java browser plugin: If Java is not required for business applications, disable the browser plugin entirely to eliminate the primary drive-by attack vector.
- Application whitelisting: Use endpoint controls to prevent execution of untrusted Java archives (JARs) and applet code.
- Network segmentation: Restrict outbound connections from systems that must run legacy Java to reduce post-exploitation command-and-control opportunities.
Detection
- File/endpoint: Identify installations of Java SE versions at or below the affected thresholds. Asset-discovery tools and EDR agents can flag outdated JRE installations.
- Network: Monitor for Java applet downloads from untrusted or newly registered domains. Proxy and IDS signatures targeting Java archive delivery can help.
- Behavioural: EDR rules detecting child processes spawned from
java.exeor the Java plugin container, especially those executing shell commands or making unexpected network connections. - Threat intelligence: Cross-reference CISA KEV and EPSS scores above 0.9 to prioritise rapid response.
Assessment
CVE-2012-1723 is a textbook example of a high-impact, widely deployed software vulnerability. With a CVSS v3 score of 9.8 and an EPSS probability of 93.7%, this flaw presents an extreme risk to any organisation still running unpatched Java versions from 2012. Its inclusion in the CISA KEV catalogue confirms active exploitation more than a decade after disclosure.
Key lessons:
- Legacy Java is a persistent liability: Even ancient vulnerabilities remain relevant because Java installations are often left unmaintained on operational-technology and back-office systems.
- KEV + EPSS drives prioritisation: The combination of confirmed in-the-wild exploitation and high EPSS probability should trigger an emergency patch cycle, not a routine maintenance window.
References
- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
- http://rhn.redhat.com/errata/RHSA-2012-0734.html
- http://www.securityfocus.com/bid/53960
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16259
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1723
Frequently asked questions
- What is CVE-2012-1723?
- Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
- How severe is CVE-2012-1723?
- CVE-2012-1723 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2012-1723 being actively exploited?
- Yes. CVE-2012-1723 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2012-1723?
- CVE-2012-1723 primarily affects Oracle Jdk. In total, 135 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2012-1723?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2012-1723 have an EU (EUVD) identifier?
- Yes. CVE-2012-1723 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2012-1733. It is also flagged as exploited in the EUVD (since 2022-03-03).
- When was CVE-2012-1723 published?
- CVE-2012-1723 was published on 2012-06-16 and last updated on 2026-06-16.
References
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019076.html
- http://marc.info/?l=bugtraq&m=134496371727681&w=2
- http://rhn.redhat.com/errata/RHSA-2012-0734.html
- http://secunia.com/advisories/51080
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www.ibm.com/support/docview.wss?uid=swg21615246
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:095
- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
- http://www.securityfocus.com/bid/53960
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16259
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1723
Affected products (135)
- cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update16:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update18:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update19:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update20:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update21:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update22:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update23:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update24:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update25:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update26:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update27:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update28:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update29:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update30:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update31:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update32:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update33:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update34:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update35:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update16:*:*:*:*:*:*
More vulnerabilities in Oracle Jdk
- CVE-2016-0494 — Critical (CVSS 10.0): Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and…
- CVE-2016-0483 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows…
- CVE-2015-4883 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4881 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4860 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4844 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
All CVEs affecting Oracle Jdk →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →