Cyber Resilience

CVE-2012-5076

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 October 2012

Published
16 October 2012
Modified
21 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9144 99.7th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-5076 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Jre. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

The unspecified vulnerability CVE-2012-5076 resides in the Java Runtime Environment component of Oracle Java SE 7 Update 7 and earlier releases and is associated with JAX-WS. It carries a CVSS 3.1 base score of 9.8 and is tracked under CWE-284, indicating an improper access-control issue that can be reached over the network without authentication.

Remote attackers can exploit the flaw to impact the confidentiality, integrity, and availability of affected systems. Because the vector requires no user interaction and grants full read-write-execute impact, successful exploitation can lead to complete compromise of the Java process and any data it handles.

Vendor advisories referenced in the CVE entry, including Red Hat errata RHSA-2012-1386, RHSA-2012-1391, and RHSA-2012-1467 as well as the corresponding OpenSUSE and Secunia notices, address the issue through updated Java packages that remediate the JAX-WS exposure.

EU & UK References

Vulnerability details

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jre
1.7.0
suse
linux enterprise desktop
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the JAX-WS flaw in Java SE 7 Update 7 and earlier.

prevent

Enforces access-control decisions that would have blocked the improper access path exploited by the CWE-284 flaw in JAX-WS.

prevent

Limits privileges of the Java process so that even successful exploitation of the remote JAX-WS vector cannot achieve full CIA impact.

References