CVE-2012-4681

CVE-2012-4681 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03). The underlying weakness is classified as CWE-284.

Key facts

Description

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

CVE-2012-4681: Java SecurityManager Bypass Leading to Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2012-4681
CVSS v2 10 (Critical)
CVSS v3 9.8 (Critical)
CWE CWE-284 (Improper Access Control)
EPSS 0.98536 (0.99915 percentile)
KEV Yes (listed since 2022-03-03)

Summary

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Background

The Java SecurityManager is designed to sandbox untrusted code, such as applets downloaded from the web, restricting their access to system resources. In affected versions of Java, the SecurityManager could be bypassed through a combination of reflection tricks and exception handling, allowing untrusted code to escalate privileges and execute arbitrary commands.

Root Cause

The root cause is classified as CWE-284: Improper Access Control. The vulnerability arises because:

  1. com.sun.beans.finder.ClassFinder.findClass could be abused to access restricted classes from arbitrary packages (such as sun.awt.SunToolkit) by leveraging exception behavior with the forName method.
  2. Java's reflection mechanism allowed untrusted code to use "a trusted immediate caller" to invoke getField, granting access to and modification of private fields that should have been protected by the SecurityManager.

The combination of these two weaknesses effectively nullified the sandbox protections.

Impact

  • CVSS v2: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) — Network exploitable, low complexity, no authentication required, with complete impact on confidentiality, integrity, and availability.
  • CVSS v3: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Critical severity, network attack vector, no privileges or user interaction required.

Successful exploitation enables a remote attacker to execute arbitrary code with the privileges of the user running the Java applet, potentially leading to full system compromise.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive awareness only. It does not contain weaponized exploit code.

  1. Delivery: The attacker hosts a malicious Java applet on a compromised or attacker-controlled website.
  2. Bypassing Class Restrictions: The applet calls com.sun.beans.finder.ClassFinder.findClass and manipulates exception handling with forName to load restricted internal classes (e.g., sun.awt.SunToolkit) that are normally inaccessible to untrusted code.
  3. Reflection Abuse: Using reflection with a trusted immediate caller, the applet invokes getField to access and modify private fields, effectively bypassing the SecurityManager's access controls.
  4. Code Execution: With the SecurityManager bypassed, the applet can execute arbitrary code on the victim's system.

This attack vector was observed in the wild in August 2012 using the malicious classes Gondzz.class and Gondvv.class.

Affected and Patched Versions

Affected:

  • Oracle JDK 1.6.0 (multiple updates, including through update 34)
  • Oracle JDK 1.7.0 through Update 6
  • Oracle JRE 1.6.0 (multiple updates, including through update 34)
  • Oracle JRE 1.7.0 through Update 6

Patched:
Oracle released security updates following disclosure. Users should upgrade to the latest available Java version for their release stream. For Java 7, updates beyond Update 6 addressed this issue.

Remediation

  1. Upgrade Java: Immediately upgrade to the latest patched version of Java provided by Oracle for your release stream. Java 7 users should move to a version newer than Update 6.
  2. Disable Java in Browsers: If Java is not required for browser use, disable the Java browser plugin entirely to eliminate the primary attack vector.
  3. Use Application Whitelisting: Employ application control solutions to prevent unauthorized Java execution.
  4. Network Segmentation: Restrict systems running Java from accessing untrusted networks where possible.

Detection

  • Monitor for suspicious applet execution or unexpected Java process behavior.
  • Inspect web proxy logs for requests to unknown or suspicious .jar or .class files.
  • Use endpoint detection and response (EDR) tools to flag unauthorized reflection-based activity in Java processes.
  • Correlate with threat intelligence feeds indicating Gondzz.class or Gondvv.class usage.

Assessment

This vulnerability carries an EPSS score of 0.98536, placing it in the top percentile of exploited vulnerabilities (0.99915). Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2022-03-03) confirms sustained relevance.

Key lessons:

  1. Reflection is a double-edged sword: Language features designed for flexibility can undermine security boundaries when combined with exception-handling tricks.
  2. Sandbox escape is catastrophic: A single bypass of the SecurityManager can lead to full remote code execution, underscoring the need for defense-in-depth rather than relying solely on a single access-control mechanism.

References

Frequently asked questions

What is CVE-2012-4681?
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
How severe is CVE-2012-4681?
CVE-2012-4681 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2012-4681 being actively exploited?
Yes. CVE-2012-4681 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2012-4681?
CVE-2012-4681 primarily affects Oracle Jdk. In total, 85 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2012-4681?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2012-4681 have an EU (EUVD) identifier?
Yes. CVE-2012-4681 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2012-4606. It is also flagged as exploited in the EUVD (since 2022-03-03).
When was CVE-2012-4681 published?
CVE-2012-4681 was published on 2012-08-28 and last updated on 2026-06-16.

References

Affected products (85)

More vulnerabilities in Oracle Jdk

All CVEs affecting Oracle Jdk →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →