CVE-2025-11538
MEDIUMKeycloak < 26.4.4 - Remote Code Execution via Debug Mode JDWP Port Binding
Title source: llmDescription
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.
References (6)
Core 6
Core References
Issue Tracking
https://github.com/keycloak/keycloak/pull/43574
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21370
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21371
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-11538
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2402622
Scores
CVSS v3
6.8
EPSS
0.0001
EPSS Percentile
1.7%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1327
Status
published
Products (5)
Keycloak/keycloak
< 26.4.4
org.keycloak/keycloak-quarkus-dist
0 - 26.4.4Maven
Red Hat/Red Hat build of Keycloak 26.4
26.4-3
Red Hat/Red Hat build of Keycloak 26.4
26.4.4-1
Red Hat/Red Hat build of Keycloak 26.4.4
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026