# [CRIT] [GHSA / CRITICAL] CVE-2026-2587: GlassFish's gadget handler is vulnerable to RCE **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-29wv-cv7p-xjc2 ## Threat Profile GlassFish's gadget handler is vulnerable to RCE A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This i… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-2587` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1219** — Remote Access Software - **T1059** — Command and Scripting Interpreter - **T1059.001** — PowerShell - **T1059.003** — Windows Command Shell - **T1059.004** — Unix Shell - **T1059.007** — JavaScript - **T1071.001** — Web Protocols ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### GlassFish java process spawning command shell (CVE-2026-2587 RCE) `UC_257_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name="java.exe" OR Processes.parent_process_name="java") AND (Processes.parent_process="*glassfish*" OR Processes.parent_process="*asadmin*" OR Processes.parent_process="*appserver-rt*" OR Processes.parent_process="*domain1*" OR Processes.parent_process="*com.sun.aas.installRoot*") AND Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe","certutil.exe","curl.exe","wget.exe","python.exe","sh","bash","dash","zsh") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | sort 0 -lastTime ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java.exe","java") | where InitiatingProcessCommandLine has_any ("glassfish","asadmin","appserver-rt","domain1","com.sun.aas.installRoot") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe","certutil.exe","curl.exe","wget.exe","python.exe","sh","bash","dash","zsh") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Inbound HTTP request to GlassFish gadget.jsf handler (CVE-2026-2587 exploit attempt) `UC_257_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/common/gadgets/gadget.jsf*" AND Web.url="*gadget=*" by Web.src Web.dest Web.url Web.http_method Web.http_user_agent Web.status | `drop_dm_object_name(Web)` | rex field=url "gadget=(?[^&]+)" | eval gadget_url=urldecode(gadget_url) | where NOT match(src,"^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)") OR match(gadget_url,"^https?://(?!.*\.corp\.example\.com)") | sort 0 -lastTime ``` ### GlassFish java process outbound HTTP fetch to external host (gadget XML callback) `UC_257_5` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app="java.exe" OR All_Traffic.app="java" OR All_Traffic.process_name="java.exe" OR All_Traffic.process_name="java") AND All_Traffic.dest_port IN (80,443,8080,8443) AND NOT (All_Traffic.dest_ip="10.0.0.0/8" OR All_Traffic.dest_ip="172.16.0.0/12" OR All_Traffic.dest_ip="192.168.0.0/16" OR All_Traffic.dest_ip="127.0.0.0/8") by All_Traffic.src All_Traffic.dest All_Traffic.dest_port All_Traffic.app All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | sort 0 -lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java.exe","java") | where InitiatingProcessCommandLine has_any ("glassfish","asadmin","appserver-rt","domain1","com.sun.aas.installRoot") | where RemoteIPType == "Public" | where RemotePort in (80, 443, 8080, 8443) | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Hits = count(), Cmds = make_set(InitiatingProcessCommandLine, 5), URLs = make_set(RemoteUrl, 10) by DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName | order by LastSeen desc ``` ### Unpatched GlassFish admingui/jsftemplating inventory (CVE-2026-2587 attack surface) `UC_257_6` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | inputlookup cve_inventory.csv | search cve_id="CVE-2026-2587" | table host product version cvss patched_date ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-2587" or (SoftwareVendor =~ "eclipse" and SoftwareName has_any ("glassfish","admingui","jsftemplating")) | join kind=leftouter (DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId) on DeviceId | extend VulnerableComponent = case( SoftwareName has "admingui", "admingui < 8.0.2", SoftwareName has "jsftemplating", "jsftemplating < 4.2.0", SoftwareName has "glassfish", "glassfish < 7.1.0", "unknown") | project Timestamp, DeviceName, OSPlatform, PublicIP, IsInternetFacing, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerableComponent, CveId, RecommendedSecurityUpdate | order by IsInternetFacing desc, DeviceName asc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-2587` ## Why this matters Severity classified as **CRIT** based on: CVE present, 7 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.