CVE-2012-1723

CVE-2012-1723 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03). The underlying weakness is classified as CWE-284.

Key facts

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

CVE-2012-1723: Oracle Java SE Hotspot Remote Code Execution (CISA KEV)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2012-1723
Published 2012-06-16
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-284 — Improper Access Control
EPSS 93.7% (0.99828 percentile)
KEV Yes (added 2022-03-03)
EU Exploited Yes (since 2022-03-03)
Vendor Oracle
Component Java Runtime Environment (JRE) — Hotspot

Summary

CVE-2012-1723 is a critical, unspecified vulnerability in the Hotspot component of Oracle Java SE. It enables remote, unauthenticated attackers to compromise the confidentiality, integrity, and availability of target systems. The vulnerability has been actively exploited in the wild and is catalogued in CISA's Known Exploited Vulnerabilities (KEV) list.

Background

In June 2012, Oracle released its Critical Patch Update (CPU) for Java SE, addressing multiple security flaws. CVE-2012-1723 was among the most severe, residing in the Hotspot Just-In-Time (JIT) compiler within the Java Runtime Environment. Hotspot is responsible for converting Java bytecode into native machine code at runtime; flaws in this component can undermine the entire Java security model, including sandbox protections.

Root Cause

CWE-284: Improper Access Control

The precise technical mechanism was not publicly disclosed by Oracle at the time of disclosure, and no independent root-cause analysis has been published in the references available. The vulnerability is classified as an unspecified issue in the Hotspot component. From the CVSS metrics (network attack vector, low complexity, no authentication required), the flaw likely allows a remote attacker to bypass Java security manager restrictions or memory-safety boundaries, leading to arbitrary code execution within the context of the JRE process.

Impact

  • CVSS v2: 10.0 — Complete impact across confidentiality, integrity, and availability.
  • CVSS v3.1: 9.8 CRITICAL — Network exploitable, requires no privileges, no user interaction, and results in high impact across all three pillars.

Successful exploitation could allow a remote attacker to execute arbitrary code, read sensitive data, modify system state, or cause a denial of service. Because Java applets and Web Start applications were commonly executed in browsers during this era, drive-by exploitation via malicious web pages was a realistic attack vector.

Exploitation Walkthrough

Ethics caveat: This section describes the attack surface and defensive context only. No weaponized exploit code is provided. Researchers and defenders should use this information to prioritise patching and detection, not offensive operations.

  1. Delivery vector: A malicious Java applet or Web Start application hosted on a compromised or attacker-controlled website.
  2. Trigger: The victim loads the page with a vulnerable JRE installed and the Java browser plugin enabled.
  3. Mechanism: The crafted applet leverages the Hotspot flaw to escape the Java sandbox and execute native code with the privileges of the JRE process (typically the logged-on user).
  4. Result: Full system compromise, data exfiltration, or malware installation.

Defenders should assume that reliable exploit code exists in the wild given the EPSS score of 93.7% and KEV status.

Affected and Patched Versions

Affected:

  • Oracle Java SE 7 Update 4 and earlier
  • Oracle Java SE 6 Update 32 and earlier
  • Oracle Java SE 5 Update 35 and earlier
  • Oracle Java SE 1.4.2_37 and earlier

Red Hat IcedTea6 and openSUSE Tumbleweed (java-1_7_0-openjdk < 1.7.0.121-1.1) distributions were also impacted.

Patched:

  • Oracle Java SE 7 Update 5 and later
  • Oracle Java SE 6 Update 33 and later
  • Oracle Java SE 5 Update 36 and later

Remediation

  1. Upgrade immediately: Remove all affected Java versions and install the latest supported release from Oracle or an open-source distribution (OpenJDK).
  2. Disable Java browser plugin: If Java is not required for business applications, disable the browser plugin entirely to eliminate the primary drive-by attack vector.
  3. Application whitelisting: Use endpoint controls to prevent execution of untrusted Java archives (JARs) and applet code.
  4. Network segmentation: Restrict outbound connections from systems that must run legacy Java to reduce post-exploitation command-and-control opportunities.

Detection

  • File/endpoint: Identify installations of Java SE versions at or below the affected thresholds. Asset-discovery tools and EDR agents can flag outdated JRE installations.
  • Network: Monitor for Java applet downloads from untrusted or newly registered domains. Proxy and IDS signatures targeting Java archive delivery can help.
  • Behavioural: EDR rules detecting child processes spawned from java.exe or the Java plugin container, especially those executing shell commands or making unexpected network connections.
  • Threat intelligence: Cross-reference CISA KEV and EPSS scores above 0.9 to prioritise rapid response.

Assessment

CVE-2012-1723 is a textbook example of a high-impact, widely deployed software vulnerability. With a CVSS v3 score of 9.8 and an EPSS probability of 93.7%, this flaw presents an extreme risk to any organisation still running unpatched Java versions from 2012. Its inclusion in the CISA KEV catalogue confirms active exploitation more than a decade after disclosure.

Key lessons:

  1. Legacy Java is a persistent liability: Even ancient vulnerabilities remain relevant because Java installations are often left unmaintained on operational-technology and back-office systems.
  2. KEV + EPSS drives prioritisation: The combination of confirmed in-the-wild exploitation and high EPSS probability should trigger an emergency patch cycle, not a routine maintenance window.

References

Frequently asked questions

What is CVE-2012-1723?
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
How severe is CVE-2012-1723?
CVE-2012-1723 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2012-1723 being actively exploited?
Yes. CVE-2012-1723 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2012-1723?
CVE-2012-1723 primarily affects Oracle Jdk. In total, 135 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2012-1723?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2012-1723 have an EU (EUVD) identifier?
Yes. CVE-2012-1723 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2012-1733. It is also flagged as exploited in the EUVD (since 2022-03-03).
When was CVE-2012-1723 published?
CVE-2012-1723 was published on 2012-06-16 and last updated on 2026-06-16.

References

Affected products (135)

More vulnerabilities in Oracle Jdk

All CVEs affecting Oracle Jdk →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →