CVE-2021-35464

CRITICAL KEV RANSOMWARE NUCLEI

ForgeRock Access Management < 6.5.4 & OpenAM 9.0.0-14.6.3 - RCE via Jato PageSession Deserialization

Title source: llm

Exploitation Summary

CVE-2021-35464 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Photubias, Y4er, rood8008, including a Metasploit module exploits/multi/http/cve_2021_35464_forgerock_openam. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in ForgeRock OpenAM to achieve unauthenticated remote code execution. It sends a malicious serialized payload to the target endpoint, bypassing potential WAFs via path traversal.

Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Exploits (4)

exploitdb WORKING POC

by Photubias · pythonwebappsjava

https://www.exploit-db.com/exploits/50131

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in ForgeRock OpenAM to achieve unauthenticated remote code execution. It sends a malicious serialized payload to the target endpoint, bypassing potential WAFs via path traversal.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ForgeRock OpenAM 14.6.3, Forgerock 6.0.0.x, 6.5.x up to 6.5.3

No auth needed

Prerequisites: Network access to the target OpenAM instance · Vulnerable version of OpenAM/ForgeRock

MITRE ATT&CK

T1189 - Drive-by Compromise T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 87 stars

by Y4er · remote

https://github.com/Y4er/openam-CVE-2021-35464

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-35464, leveraging deserialization in OpenAM to achieve remote command execution (RCE) via crafted payloads. The exploit uses ysoserial and custom payloads to execute commands and return output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenAM (ForgeRock Access Management)

No auth needed

Prerequisites: Access to the OpenAM server · Java runtime environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER

by rood8008 · infoleak

https://github.com/rood8008/CVE-2021-35464

View Code ZIP pw:eip

The repository contains a Nuclei template for detecting CVE-2021-35464, a pre-authentication RCE vulnerability in ForgeRock OpenAM. The template sends a crafted GET request to trigger a path traversal and checks for a 302 redirect response, indicating potential vulnerability.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ForgeRock OpenAM

No auth needed

Prerequisites: Network access to the target OpenAM server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1008 - Fallback Channels

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Michael Stepankin, bwatters-r7, Spencer McIntyre, jheysel-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cve_2021_35464_forgerock_openam.rb

View Code ZIP pw:eip

This Metasploit module exploits a pre-authentication Java deserialization vulnerability (CVE-2021-35464) in ForgeRock OpenAM, allowing remote code execution via a crafted POST request to the `/oauth2/..;/ccversion/Version` endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ForgeRock OpenAM (versions affected by CVE-2021-35464)

No auth needed

Prerequisites: Network access to the target OpenAM instance · Vulnerable endpoint exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ForgeRock OpenAM <7.0 - Remote Code Execution

CRITICALby madrobot

Shodan: http.title:"OpenAM" || http.title:"openam"

FOFA: title="openam"

References (5)

Core 5

Core References

Broken Link x_refsource_misc

https://bugster.forgerock.org

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html

Exploit, Permissions Required, Vendor Advisory x_refsource_confirm

https://backstage.forgerock.com/knowledge/kb/article/a47894244

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35464

Scores

CVSS v3 9.8

EPSS 0.9439

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-12

ENISA EUVD EUVD-2021-22106

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (2)

forgerock/access_management < 6.5.4

forgerock/openam 9.0.0 - 14.6.3

Published Jul 22, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026