Proof of concept exploit, showing how to do bytecode injection through untrusted deserialization with Spring Framework 4.2.4
Check out writeup for more information: http://zerothoughts.tumblr.com/post/137831000514/spring-framework-deserialization-rce