RCE in Atlassian Crowd pdkinstall Plugin
Atlassian Crowd and Crowd Data Center shipped release builds with the pdkinstall development plugin incorrectly enabled. A remote attacker able to send HTTP requests to a vulnerable Crowd or Crowd Data Center instance can abuse this exposed plugin-installation functionality to install an arbitrary plugin. Because installed plugins execute within the application environment, successful exploitation results in remote code execution on the underlying Crowd server. According to the provided content, both unauthenticated and authenticated requests may be sufficient. Affected versions are Crowd 2.1.0 before 3.0.5, 3.1.0 before 3.1.6, 3.2.0 before 3.2.8, 3.3.0 before 3.3.5, and 3.4.0 before 3.4.4.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a working exploit for CVE-2019-11580, a remote code execution vulnerability in Atlassian Crowd and Crowd Data Center. The main exploit script (CVE-2019-11580.py) is written in Python and automates the process of uploading a malicious Java plugin (rce.jar) to the vulnerable /crowd/admin/uploadplugin.action endpoint. The plugin contains a servlet (exp.java) that acts as a webshell, allowing arbitrary command execution via HTTP requests to /crowd/plugins/servlet/exp with a 'cmd' parameter. The repository includes the Java source code for the webshell, a plugin descriptor (atlassian-plugin.xml), and a shell script (compile.sh) to build the malicious plugin. The README provides detailed usage instructions, affected versions (Crowd 2.1.0 through 3.4.4), and example commands. The exploit is operational and provides a remote shell on vulnerable targets.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A known (N-day) vulnerability in Atlassian Crowd that the actor attempted to exploit to achieve remote code execution by uploading a malicious JAR payload (rce.jar) to a server hosting e-passport/e-visa services.
An Atlassian vulnerability that CISA KEV’s knownRansomwareCampaignUse field silently flipped to Known during 2025 (evidence of ransomware campaign use).
A known security vulnerability used for initial access/foothold in ransomware intrusion chains (as cited in the context of 01flip ransomware campaigns).
An older vulnerability exploited by threat actors to gain initial access to networks targeted by the 01flip ransomware campaign. It is used as an entry point for further compromise.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.