What is the CVSS score of CVE-2012-4681?

CVE-2012-4681 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.1%.

Which versions of Java are affected by CVE-2012-4681?

CVE-2012-4681 presents critical security risk, a improper access control vulnerability rated CVSS 9.8.

Is there a public PoC exploit available for CVE-2012-4681?

Yes, a public proof-of-concept exploit is available for CVE-2012-4681. Prioritise patching immediately. EPSS: 94.1%.

How to fix or mitigate CVE-2012-4681?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Java CVE-2012-4681

CRITICAL

Improper Access Control (CWE-284)

2012-08-28 cve@mitre.org

Authentication Bypass RCE Java Oracle

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 01:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 01:15 vuln.today

Public exploit code

CVE Published

Aug 28, 2012 - 00:55 nvd

CRITICAL 9.8

DescriptionNVD

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

AnalysisAI

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName methods, enabling complete sandbox escape for untrusted applets. Massively exploited by exploit kits in 2012.

Technical ContextAI

The CWE-284 sandbox bypass chains two flaws: (1) com.sun.beans.finder.ClassFinder.findClass allows access to restricted classes, and (2) exception handling during forName() leaks class references that should be inaccessible. Together, these allow full SecurityManager bypass from unsigned applets.

RemediationAI

Java browser plugins are deprecated and should be removed. Update to latest Java version if JRE is required for desktop applications. Disable Java in web browsers via Java Control Panel.