vulnerability
Red Hat JBoss EAP: CVE-2025-2251: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:M/Au:M/C:P/I:C/A:C) | Apr 7, 2025 | Apr 10, 2025 | Mar 25, 2026 |
Severity
8
CVSS
(AV:N/AC:M/Au:M/C:P/I:C/A:C)
Published
Apr 7, 2025
Added
Apr 10, 2025
Modified
Mar 25, 2026
Description
A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.. A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.
Solution
red-hat-jboss-eap-upgrade-latest
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.