CVE-2025-2251

MEDIUM

Red Hat JBoss EAP 7.4.23 - Unauthenticated Remote Code Execution via Marshalling Deserialization

Title source: manual

Description

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

References (9)

Core 9

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10452

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10453

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10459

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10924

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10925

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10926

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:10931

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-2251

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2351678

Scores

CVSS v3 6.2

EPSS 0.0194

EPSS Percentile 83.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (50)

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:1.10.0-42.Final_redhat_00042.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:1.15.26-1.Final_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:1.5.21-1.Final_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:1.9.6-1.Final_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:2.16.0-21.redhat_00055.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:2.3.14-9.SP10_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:3.3.27-1.Final_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:3.5.10-1.redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:5.4.15-1.Final_redhat_00001.1.el8eap

Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:6.0.23-3.SP2_redhat_00001.1.el8eap

... and 40 more

Published Apr 07, 2025

Tracked Since Feb 18, 2026