What is the CVSS score of CVE-2011-3544?

CVE-2011-3544 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 92.6%.

Which versions of Oracle Java SE are affected by CVE-2011-3544?

CVE-2011-3544 is a critical remote code execution vulnerability in Oracle Java SE (JDK/JRE 6 Update 27 and earlier, Java 7) that allows unauthenticated attackers to achieve complete system compromise…. A patch is available.

Is there a public PoC exploit available for CVE-2011-3544?

Yes, a public proof-of-concept exploit is available for CVE-2011-3544. Prioritise patching immediately. EPSS: 92.6%.

How to fix or mitigate CVE-2011-3544?

Within 24 hours: Identify all systems running Java SE JDK/JRE 6 Update 27 or earlier, or Java 7 versions prior to the patch release (Java 7 Update 4 or later); disable Java in browsers if immediate patching is not possible. Within 7 days: Apply vendor patch to Java 7 Update 4 or later, or Java SE 6 Update 29 or later across all affected systems; verify patch installation via java -version command. Within 30 days: Conduct full vulnerability reassessment; implement application whitelisting to restrict Java Web Start execution; disable Java applets enterprise-wide if business requirements permit.

Oracle Java SE CVE-2011-3544

CRITICAL

Improper Access Control (CWE-284)

2011-10-19 secalert_us@oracle.com

Authentication Bypass Java Oracle

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 22, 2026 - 13:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:17 vuln.today

Added to CISA KEV

Oct 22, 2025 - 01:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 01:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 01:15 nvd

Patch available

CVE Published

Oct 19, 2011 - 21:55 nvd

CRITICAL 9.8

DescriptionNVD

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

AnalysisAI

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise through malicious Java Web Start applications and untrusted applets exploiting the Scripting component. CISA KEV confirms active exploitation in the wild. EPSS score of 92.59% (100th percentile) indicates extremely high probability of mass exploitation. Public exploit code exists, making this a critical priority for any environment running affected Java versions despite the vulnerability's age.

Technical ContextAI

This vulnerability affects the Scripting component within Oracle Java Runtime Environment, specifically in Java SE 6 (all updates through Update 27) and Java 7 initial release. The Scripting component enables integration between Java and scripting languages like JavaScript through the javax.script API and Rhino engine. CWE-284 (Improper Access Control) indicates the root cause involves insufficient restrictions on what untrusted code can access or execute. The CVSS vector AV:N/AC:L indicates network-based exploitation with low complexity, meaning attackers can trigger the flaw simply by convincing users to visit malicious websites hosting weaponized Java applets or Web Start applications. The vulnerability allows escaping the Java security sandbox, which is designed to restrict untrusted code from accessing system resources.

RemediationAI

Upgrade to Oracle Java SE 6 Update 29 or Java SE 7 Update 1 or later as specified in Oracle's October 2011 Critical Patch Update (http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html). For Red Hat Enterprise Linux, apply RHSA-2011-1384 or later Java packages. Ubuntu users should apply USN-1263-1. If immediate patching is not feasible, disable Java browser plugins in all web browsers and uninstall Java Web Start to prevent exploitation via malicious applets-this completely blocks the attack vector but breaks legitimate Java web applications. Alternatively, configure Java security settings to 'Very High' and maintain strict whitelisting of trusted applet sources, though this provides only partial protection against sophisticated exploits. Network-level blocking of Java applet MIME types (application/x-java-applet) at web proxies adds defense-in-depth but may cause operational disruption. Given active exploitation, compensating controls should be considered temporary only until patching is complete.

More from same product – last 7 days

CVE-2026-46840 CRITICAL Act Now

10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c

CVE-2026-46775 CRITICAL Act Now

9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att

CVE-2026-46822 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil

CVE-2026-46824 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus

CVE-2026-46839 CRITICAL Act Now

9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr

CVE-2011-3544 vulnerability details – vuln.today

Back

Oracle Java SE CVE-2011-3544

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code