CVE-2012-4681
CVE-2012-4681 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03). The underlying weakness is classified as CWE-284.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-03)
- EU (EUVD) id: EUVD-2012-4606
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-03)
- Weakness: CWE-284
- Affected product: Oracle Jdk
- Published:
- Last modified:
Description
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
CVE-2012-4681: Java SecurityManager Bypass Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2012-4681 |
| CVSS v2 | 10 (Critical) |
| CVSS v3 | 9.8 (Critical) |
| CWE | CWE-284 (Improper Access Control) |
| EPSS | 0.98536 (0.99915 percentile) |
| KEV | Yes (listed since 2022-03-03) |
Summary
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Background
The Java SecurityManager is designed to sandbox untrusted code, such as applets downloaded from the web, restricting their access to system resources. In affected versions of Java, the SecurityManager could be bypassed through a combination of reflection tricks and exception handling, allowing untrusted code to escalate privileges and execute arbitrary commands.
Root Cause
The root cause is classified as CWE-284: Improper Access Control. The vulnerability arises because:
com.sun.beans.finder.ClassFinder.findClasscould be abused to access restricted classes from arbitrary packages (such assun.awt.SunToolkit) by leveraging exception behavior with theforNamemethod.- Java's reflection mechanism allowed untrusted code to use "a trusted immediate caller" to invoke
getField, granting access to and modification of private fields that should have been protected by the SecurityManager.
The combination of these two weaknesses effectively nullified the sandbox protections.
Impact
- CVSS v2: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) — Network exploitable, low complexity, no authentication required, with complete impact on confidentiality, integrity, and availability.
- CVSS v3: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Critical severity, network attack vector, no privileges or user interaction required.
Successful exploitation enables a remote attacker to execute arbitrary code with the privileges of the user running the Java applet, potentially leading to full system compromise.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. It does not contain weaponized exploit code.
- Delivery: The attacker hosts a malicious Java applet on a compromised or attacker-controlled website.
- Bypassing Class Restrictions: The applet calls
com.sun.beans.finder.ClassFinder.findClassand manipulates exception handling withforNameto load restricted internal classes (e.g.,sun.awt.SunToolkit) that are normally inaccessible to untrusted code. - Reflection Abuse: Using reflection with a trusted immediate caller, the applet invokes
getFieldto access and modify private fields, effectively bypassing the SecurityManager's access controls. - Code Execution: With the SecurityManager bypassed, the applet can execute arbitrary code on the victim's system.
This attack vector was observed in the wild in August 2012 using the malicious classes Gondzz.class and Gondvv.class.
Affected and Patched Versions
Affected:
- Oracle JDK 1.6.0 (multiple updates, including through update 34)
- Oracle JDK 1.7.0 through Update 6
- Oracle JRE 1.6.0 (multiple updates, including through update 34)
- Oracle JRE 1.7.0 through Update 6
Patched:
Oracle released security updates following disclosure. Users should upgrade to the latest available Java version for their release stream. For Java 7, updates beyond Update 6 addressed this issue.
Remediation
- Upgrade Java: Immediately upgrade to the latest patched version of Java provided by Oracle for your release stream. Java 7 users should move to a version newer than Update 6.
- Disable Java in Browsers: If Java is not required for browser use, disable the Java browser plugin entirely to eliminate the primary attack vector.
- Use Application Whitelisting: Employ application control solutions to prevent unauthorized Java execution.
- Network Segmentation: Restrict systems running Java from accessing untrusted networks where possible.
Detection
- Monitor for suspicious applet execution or unexpected Java process behavior.
- Inspect web proxy logs for requests to unknown or suspicious
.jaror.classfiles. - Use endpoint detection and response (EDR) tools to flag unauthorized reflection-based activity in Java processes.
- Correlate with threat intelligence feeds indicating
Gondzz.classorGondvv.classusage.
Assessment
This vulnerability carries an EPSS score of 0.98536, placing it in the top percentile of exploited vulnerabilities (0.99915). Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2022-03-03) confirms sustained relevance.
Key lessons:
- Reflection is a double-edged sword: Language features designed for flexibility can undermine security boundaries when combined with exception-handling tricks.
- Sandbox escape is catastrophic: A single bypass of the SecurityManager can lead to full remote code execution, underscoring the need for defense-in-depth rather than relying solely on a single access-control mechanism.
References
- http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
- http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
- http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
- http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
- http://marc.info/?l=bugtraq&m=135109152819176&w=2
- http://rhn.redhat.com/errata/RHSA-2012-1225.html
- http://secunia.com/advisories/51044
- http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
- http://www.securityfocus.com/bid/55213
- http://www.us-cert.gov/cas/techalerts/TA12-240A.html
- https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-4681
Frequently asked questions
- What is CVE-2012-4681?
- Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
- How severe is CVE-2012-4681?
- CVE-2012-4681 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2012-4681 being actively exploited?
- Yes. CVE-2012-4681 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2012-4681?
- CVE-2012-4681 primarily affects Oracle Jdk. In total, 85 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2012-4681?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2012-4681 have an EU (EUVD) identifier?
- Yes. CVE-2012-4681 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2012-4606. It is also flagged as exploited in the EUVD (since 2022-03-03).
- When was CVE-2012-4681 published?
- CVE-2012-4681 was published on 2012-08-28 and last updated on 2026-06-16.
References
- http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
- http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
- http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
- http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
- http://marc.info/?l=bugtraq&m=135109152819176&w=2
- http://rhn.redhat.com/errata/RHSA-2012-1225.html
- http://secunia.com/advisories/51044
- http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
- http://www.securityfocus.com/bid/55213
- http://www.us-cert.gov/cas/techalerts/TA12-240A.html
- https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-4681
Affected products (85)
- cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update16:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update18:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update19:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update20:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update21:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update8:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
More vulnerabilities in Oracle Jdk
- CVE-2016-0494 — Critical (CVSS 10.0): Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and…
- CVE-2016-0483 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows…
- CVE-2015-4883 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4881 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4860 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4844 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
All CVEs affecting Oracle Jdk →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →