Cyber Resilience

CVE-2017-9805

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 September 2017

Published
15 September 2017
Modified
21 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9432 100.0th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-9805 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Hosted Collaboration Solution. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2017-9805 is a deserialization flaw (CWE-502) in the REST Plugin of Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13. It arises because the plugin uses an XStreamHandler instance of XStream to process XML payloads without any type filtering during deserialization.

An attacker with network access can supply a crafted XML payload to trigger remote code execution on the server. The attack requires no privileges or user interaction and carries a CVSS 3.1 score of 8.1, reflecting high impact on confidentiality, integrity, and availability despite the noted complexity.

Referenced advisories from Oracle, Red Hat, Apache, SecurityFocus, and SecurityTracker address the issue and point to the availability of patched versions 2.3.34 and 2.5.13.

EU & UK References

Vulnerability details

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.1.2 — 2.3.34 · 2.5.0 — 2.5.13
cisco
digital media manager
all versions
cisco
hosted collaboration solution
10.5\(1\), 11.0\(1\), 11.5\(1\), 11.6\(1\)
cisco
media experience engine
3.5, 3.5.2
cisco
network performance analysis
all versions
cisco
video distribution suite for internet streaming
all versions
netapp
oncommand balance
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of untrusted XML input prior to XStream deserialization, directly blocking the crafted payloads that trigger RCE.

prevent

Requires prompt application of the available Struts patches (2.3.34 / 2.5.13) that add type filtering to the XStreamHandler.

prevent

Disables or restricts the vulnerable REST plugin and XStream usage unless explicitly required, reducing the attack surface for deserialization.

References