1. Home
  2. Vulnerabilities
  3. CVE-2015-6420
9.8
CRITICAL CVSS 3.1
CVE-2015-6420
"Cisco Java Object Deserialization Remote Command Execution"
Description

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

INFO

Published Date :

Dec. 15, 2015, 5:59 a.m.

Last Modified :

Feb. 24, 2026, 7:36 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2015-6420 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache commons_collections
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 2.0 HIGH [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Upgrade Cisco products to address a vulnerability related to serialized Java objects and the Apache Commons Collections library.
  • Upgrade affected Cisco products to a patched version or later.
  • Refer to Cisco bug ID CSCux34671 for specific versions.
Public PoC/Exploit Available at Github

CVE-2015-6420 has a 42 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2015-6420.

URL Resource
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Third Party Advisory
http://www.securityfocus.com/bid/78872 Third Party AdvisoryVDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 Third Party Advisory
https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E Vendor Advisory
https://www.kb.cert.org/vuls/id/581311 Third Party Advisory
https://www.tenable.com/security/research/tra-2017-14 Third Party Advisory
https://www.tenable.com/security/research/tra-2017-23 Third Party Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Third Party Advisory
http://www.securityfocus.com/bid/78872 Third Party AdvisoryVDB Entry
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ ExploitThird Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 Third Party Advisory
https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E Vendor Advisory
https://news.apache.org/foundation/entry/apache_commons_statement_to_widespread Vendor Advisory
https://www.kb.cert.org/vuls/id/576313 Third Party Advisory
https://www.kb.cert.org/vuls/id/581311 Third Party Advisory
https://www.tenable.com/security/research/tra-2017-14 Third Party Advisory
https://www.tenable.com/security/research/tra-2017-23 Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2015-6420 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2015-6420 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
samsung-sample-org/6-company

회사소개 시스템 - Spring Boot 3 전환 라이브러리 호환성 검증

Dockerfile Java

Updated: 1 day, 2 hours ago
0 stars 0 fork 0 watcher
Born at : March 9, 2026, 1:05 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
samsung-sample-org/5-homepage

홈페이지 시스템 - Spring Boot 3 전환 라이브러리 호환성 검증

Dockerfile Java

Updated: 1 day, 2 hours ago
0 stars 0 fork 0 watcher
Born at : March 9, 2026, 12:26 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
samsung-sample-org/8-evote

전자투표 시스템 - Spring Boot 3 전환 라이브러리 호환성 검증

Dockerfile Java

Updated: 1 day, 2 hours ago
0 stars 0 fork 0 watcher
Born at : March 9, 2026, 12:25 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
humancto/happy-scan-scala

Scala/SBT dependency risk scanner — vulnerability detection, license compliance, SBOM generation, unused dep analysis, policy-as-code, and more

cli dependency-scanner license-compliance open-source rust sbom sbt scala security vulnerability-scanner

Shell Rust

Updated: 1 day, 22 hours ago
0 stars 0 fork 0 watcher
Born at : March 7, 2026, 2:21 p.m. This repo has been linked 26 different CVEs too.
Profile Photo
h-morozumi/java-app-modernization-sample

None

Shell Java HTML

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Feb. 9, 2026, 4:57 a.m. This repo has been linked 9 different CVEs too.
Profile Photo
plexicus/simplest-sca-vulnerable

None

Go Java JavaScript Python

Updated: 1 month, 1 week ago
0 stars 2 fork 2 watcher
Born at : Jan. 28, 2026, 3:22 p.m. This repo has been linked 9 different CVEs too.
Profile Photo
seal-sean-org/vulnerable-maven-demo

None

Java

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Jan. 5, 2026, 8:07 p.m. This repo has been linked 8 different CVEs too.
Profile Photo
Dmitry-VLG/sbom-security-demo

None

Java

Updated: 2 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Dec. 20, 2025, 4:03 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
Goseokbin/vulner-sample-app

None

Dockerfile Python Shell Java

Updated: 3 months ago
0 stars 0 fork 0 watcher
Born at : Dec. 3, 2025, 4:20 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
david-wiggs/test-resolved-vulnerabilities-java

Test repository for resolved vulnerabilities feature using Java/Maven dependencies

Java

Updated: 3 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Nov. 26, 2025, 3:47 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
rafael7maia/guia-Completo-OWASP-Dependency-Check-para-Desenvolvedores-Java

None

Updated: 3 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Nov. 19, 2025, 2:04 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
jtb75/serverless-examples

None

C# Go Java JavaScript Python F#

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Oct. 13, 2025, 11:34 a.m. This repo has been linked 11 different CVEs too.
Profile Photo
AndreaRamirez17/POC_bckup

None

Dockerfile Java Python Open Policy Agent Shell HCL

Updated: 6 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 22, 2025, 4:31 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
pranavanil47/snyk_workflow

This is a sample repo with vulnerable docker files and others

Go Java Dockerfile JavaScript Python C# PHP

Updated: 6 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 19, 2025, 5:06 p.m. This repo has been linked 9 different CVEs too.
Profile Photo
a10shy/ci-cd-test-

None

JavaScript Python PHP Java Go C# Dockerfile

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Aug. 7, 2025, 4:51 a.m. This repo has been linked 9 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2015-6420 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2015-6420 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Reanalysis by [email protected]

    Feb. 24, 2026

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (excluding) 3.2.2 OR *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions from (including) 3.0 up to (excluding) 3.2.2
  • Modified Analysis by [email protected]

    Feb. 24, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed CPE Configuration OR *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (including) 3.2.1 *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* OR *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (excluding) 3.2.2
    Added Reference Type Cisco Systems, Inc.: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Types: Third Party Advisory
    Added Reference Type Cisco Systems, Inc.: https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E Types: Vendor Advisory
    Added Reference Type Cisco Systems, Inc.: https://www.kb.cert.org/vuls/id/581311 Types: Third Party Advisory
    Added Reference Type CVE: https://www.kb.cert.org/vuls/id/581311 Types: Third Party Advisory
    Added Reference Type CVE: https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E Types: Vendor Advisory
    Added Reference Type CVE: https://news.apache.org/foundation/entry/apache_commons_statement_to_widespread Types: Vendor Advisory
    Added Reference Type CVE: https://www.kb.cert.org/vuls/id/576313 Types: Third Party Advisory
    Added Reference Type CVE: https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ Types: Exploit, Third Party Advisory
    Added Reference Type CVE: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Types: Third Party Advisory
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Mar. 25, 2025

    Action Type Old Value New Value
    Added Reference https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
    Added Reference https://news.apache.org/foundation/entry/apache_commons_statement_to_widespread
    Added Reference https://www.kb.cert.org/vuls/id/576313
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
    Added Reference http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
    Added Reference http://www.securityfocus.com/bid/78872
    Added Reference https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
    Added Reference https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
    Added Reference https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E
    Added Reference https://www.kb.cert.org/vuls/id/581311
    Added Reference https://www.tenable.com/security/research/tra-2017-14
    Added Reference https://www.tenable.com/security/research/tra-2017-23
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Nov. 07, 2023

    Action Type Old Value New Value
    Added Reference Cisco Systems, Inc. https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E [No types assigned]
    Removed Reference Cisco Systems, Inc. https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
  • CVE Modified by [email protected]

    Mar. 10, 2021

    Action Type Old Value New Value
    Removed Reference https://www.kb.cert.org/vuls/id/576313 [Third Party Advisory]
    Added Reference https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E [No Types Assigned]
  • CVE Modified by [email protected]

    Oct. 01, 2018

    Action Type Old Value New Value
    Added Reference https://www.kb.cert.org/vuls/id/581311 [No Types Assigned]
  • CVE Modified by [email protected]

    Jul. 19, 2018

    Action Type Old Value New Value
    Added Reference http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html [No Types Assigned]
  • Modified Analysis by [email protected]

    Dec. 14, 2017

    Action Type Old Value New Value
    Removed Evaluator Description <a href="http://cwe.mitre.org/data/definitions/502.html">CWE-502: Deserialization of Untrusted Data</a>
    Changed Reference Type http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization No Types Assigned http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization Third Party Advisory
    Changed Reference Type https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 No Types Assigned https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 Third Party Advisory
    Changed Reference Type https://www.tenable.com/security/research/tra-2017-14 No Types Assigned https://www.tenable.com/security/research/tra-2017-14 Third Party Advisory
    Changed Reference Type https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 No Types Assigned https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 Third Party Advisory
    Changed Reference Type https://www.tenable.com/security/research/tra-2017-23 No Types Assigned https://www.tenable.com/security/research/tra-2017-23 Third Party Advisory
    Changed Reference Type http://www.securityfocus.com/bid/78872 No Types Assigned http://www.securityfocus.com/bid/78872 Third Party Advisory, VDB Entry
    Added Reference https://www.kb.cert.org/vuls/id/576313 [Third Party Advisory]
    Removed CWE NVD-CWE-Other
    Added CWE CWE-502
    Changed CPE Configuration OR *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (including) 3.2.1 *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (including) 4.0 OR *cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to (including) 3.2.1 *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Nov. 08, 2017

    Action Type Old Value New Value
    Added Reference https://www.tenable.com/security/research/tra-2017-23 [No Types Assigned]
  • CVE Modified by [email protected]

    Nov. 03, 2017

    Action Type Old Value New Value
    Added Reference https://www.tenable.com/security/research/tra-2017-14 [No Types Assigned]
  • CVE Modified by [email protected]

    Feb. 17, 2017

    Action Type Old Value New Value
    Added Reference https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 [No Types Assigned]
  • CVE Modified by [email protected]

    Jan. 20, 2017

    Action Type Old Value New Value
    Added Reference https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 [No Types Assigned]
  • CVE Modified by [email protected]

    Nov. 28, 2016

    Action Type Old Value New Value
    Added Reference http://www.securityfocus.com/bid/78872 [No Types Assigned]
  • Modified Analysis by [email protected]

    Dec. 16, 2015

    Action Type Old Value New Value
    Added Evaluator Description <a href="http://cwe.mitre.org/data/definitions/502.html">CWE-502: Deserialization of Untrusted Data</a>
    Added CPE Configuration Configuration 1 OR *cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:* (and previous) *cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:* (and previous)
    Added CVSS V2 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
    Added CWE NVD-CWE-Other
  • Initial Analysis by [email protected]

    Dec. 15, 2015

    Action Type Old Value New Value
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Base CVSS Score: 7.5
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

21.20 }} 4.71%

score

0.95545

percentile