CVE-2020-12835
CRITICALSmartBear ReadyAPI SoapUI Pro 3.2.5 - Code Injection
Title source: llmDescription
An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to unsafe use of an Java RMI based protocol in an unsafe configuration, an attacker can inject malicious serialized objects into the communication, resulting in remote code execution in the context of a client-side Network Licensing Protocol component.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://www.syss.de/pentest-blog/
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/May/38
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157772/Protection-Licensing-Toolkit-ReadyAPI-3.2.5-Code-Execution-Deserialization.html
Exploit, Third Party Advisory x_refsource_misc
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-039.txt
Scores
CVSS v3
9.8
EPSS
0.1170
EPSS Percentile
95.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
smartbear/readyapi
3.2.5
Published
May 20, 2020
Tracked Since
Feb 18, 2026