diff --git a/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partaa b/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partaa
new file mode 100644
index 000000000..6c16eef3a
Binary files /dev/null and b/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partaa differ
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partab b/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partab
new file mode 100644
index 000000000..2e747ac2d
Binary files /dev/null and b/modules/vulnerabilities/unix/http/lucee_rce/files/lucee-express-5.3.7.43.zip.partab differ
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/lucee_rce.pp b/modules/vulnerabilities/unix/http/lucee_rce/lucee_rce.pp
new file mode 100644
index 000000000..47b1485cd
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/lucee_rce.pp
@@ -0,0 +1,6 @@
+contain lucee_rce::install
+contain lucee_rce::service
+contain lucee_rce::configure
+Class['lucee_rce::install']
+-> Class['lucee_rce::configure']
+-> Class['lucee_rce::service']
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/manifests/configure.pp b/modules/vulnerabilities/unix/http/lucee_rce/manifests/configure.pp
new file mode 100644
index 000000000..16621a806
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/manifests/configure.pp
@@ -0,0 +1,25 @@
+# Class: lucee_rce::configure
+# Configuration for lucee with secgen
+#
+class lucee_rce::configure {
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $leaked_filenames = $secgen_parameters['leaked_filenames']
+ $strings_to_leak = $secgen_parameters['strings_to_leak']
+ $user = $secgen_parameters['leaked_username'][0]
+ $user_home = "/home/${user}"
+
+ Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+ file { '/usr/local/src/lucee-express-5.3.7.43.zip':
+ ensure => absent
+ }
+
+ ::secgen_functions::leak_files { 'lucee-flag-leak':
+ storage_directory => $user_home,
+ leaked_filenames => $leaked_filenames,
+ strings_to_leak => $strings_to_leak,
+ owner => $user,
+ mode => '0644',
+ leaked_from => 'lucee_rce',
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/lucee_rce/manifests/install.pp
new file mode 100644
index 000000000..702259225
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/manifests/install.pp
@@ -0,0 +1,52 @@
+# Class: lucee_rce::install
+# Install process for lucee can be found at:
+# https://docs.lucee.org/guides/installing-lucee/download-and-install.html
+class lucee_rce::install {
+ Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+ $modulename = 'lucee_rce'
+ $releasename = 'lucee-express-5.3.7.43.zip'
+ $splits = ["${releasename}.partaa",
+ "${releasename}.partab"]
+
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $port = $secgen_parameters['port'][0]
+ $user = $secgen_parameters['leaked_username'][0]
+ $user_home = "/home/${user}"
+
+ ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'})
+
+ $splits.each |String $split| {
+ file { "/tmp/${split}":
+ ensure => file,
+ source => "puppet:///modules/${modulename}/${split}",
+ }
+ }
+
+ # Create user
+ user { $user:
+ ensure => present,
+ home => $user_home,
+ managehome => true,
+ }
+
+ exec { 'rebuild-archive':
+ cwd => '/tmp/',
+ command => "cat ${releasename}.parta* >/usr/local/src/${releasename}",
+ }
+ -> exec { 'unpack-lucee':
+ cwd => '/usr/local/src/',
+ command => 'unzip -n lucee-express-5.3.7.43.zip',
+ }
+ -> file { '/usr/local/src/logs/':
+ ensure => directory,
+ }
+ -> exec { 'giveperms-lucee':
+ command => 'chmod -R 777 /usr/local/src/bin/',
+ }
+ -> exec { 'chmod-lucee':
+ command => "chown -R ${user} /usr/local/src/",
+ }
+ -> exec { 'set-port':
+ command => "sed -i 's/8888/${port}/' /usr/local/src/conf/server.xml"
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/manifests/service.pp b/modules/vulnerabilities/unix/http/lucee_rce/manifests/service.pp
new file mode 100644
index 000000000..30defc5f1
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/manifests/service.pp
@@ -0,0 +1,18 @@
+# Class: lucee_rce::service
+# Service behaviour
+#
+class lucee_rce::service {
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $user = $secgen_parameters['leaked_username'][0]
+
+ file { '/etc/systemd/system/lucee.service':
+ content => template('lucee_rce/lucee.service.erb'),
+ owner => 'root',
+ mode => '0777',
+ }
+
+ service { 'lucee':
+ ensure => 'running',
+ enable => 'true',
+ }
+}
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/secgen_metadata.xml b/modules/vulnerabilities/unix/http/lucee_rce/secgen_metadata.xml
new file mode 100644
index 000000000..573cbd860
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/secgen_metadata.xml
@@ -0,0 +1,57 @@
+
+
+
+ Lucee Administrator imgProcess.cfm Arbitrary File Write
+ James Davis
+ MIT
+
+ This module exploits an arbitrary file write in Lucee Administrator's
+ imgProcess.cfm file to execute commands as the Tomcat user.
+
+
+ http
+ in_the_wild
+ user_rwx
+ remote
+ linux
+ low
+
+ port
+ strings_to_leak
+ leaked_filenames
+
+
+
+
+
+
+
+
+
+
+
+ flag
+
+
+
+
+
+
+
+ CVE-2021-21307
+ 9.8
+ AV:N/AC:L/Au:N/C:C/I:C/A:C
+ https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
+
+ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb
+ Lucee Server
+ Apache/LGPL
+
+
+ update
+
+
+
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/http/lucee_rce/templates/lucee.service.erb b/modules/vulnerabilities/unix/http/lucee_rce/templates/lucee.service.erb
new file mode 100644
index 000000000..eebe87467
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/lucee_rce/templates/lucee.service.erb
@@ -0,0 +1,15 @@
+[Unit]
+Description=Lucee
+[Service]
+Type=forking
+User=<%= @user %>
+ExecStart=/usr/local/src/bin/startup.sh
+ExecStop=/usr/local/src/bin/shutdown.sh
+TimeoutStopSec=5
+# The exit code of the tomcat java process when terminated via shutdown.sh is 143.
+# Don't treat that non-zero exit code as a failure.
+SuccessExitStatus=143
+Restart=always
+RestartSec=5
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/scenarios/examples/vulnerability_examples/lucee_rce.xml b/scenarios/examples/vulnerability_examples/lucee_rce.xml
new file mode 100644
index 000000000..d27e05a2d
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/lucee_rce.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+ lucee
+
+
+
+
+
+
+
+
\ No newline at end of file