CVE-2020-25260

9.8 CRITICAL

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Hyland OnBase systems due to unsafe JSON deserialization. Attackers can achieve remote code execution (RCE) by sending specially crafted JSON payloads. All OnBase installations running affected versions are vulnerable.

💻 Affected Systems

Products:

• Hyland OnBase

Versions: 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below, 20.3.10.1000 and below

Operating Systems: Windows Server (primary deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Onbase by Hyland

View all CVEs affecting Onbase →

Onbase by Hyland

View all CVEs affecting Onbase →

Onbase by Hyland

View all CVEs affecting Onbase →

Onbase by Hyland

View all CVEs affecting Onbase →

Onbase by Hyland

View all CVEs affecting Onbase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the OnBase server, allowing data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data exfiltration, installation of backdoors, and disruption of business operations.

🟢

If Mitigated

If proper network segmentation and input validation are in place, impact may be limited to the OnBase application server only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and has been weaponized in the wild. Attackers can send malicious JSON payloads to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions above those listed in affected versions

Vendor Advisory: https://www.hyland.com/en/security-advisories

Restart Required: Yes

Instructions:

1. Contact Hyland support for appropriate patches. 2. Apply patches to all affected OnBase servers. 3. Restart OnBase services. 4. Test functionality after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to OnBase servers to only trusted IP addresses and required users.

WAF Rules

all

Implement Web Application Firewall rules to block malicious JSON payloads and deserialization attacks.

🧯 If You Can't Patch

• Isolate OnBase servers in a separate network segment with strict access controls
• Implement application-level input validation to reject suspicious JSON structures

🔍 How to Verify

Check if Vulnerable:

Copy

Check OnBase version against affected version list. Review application logs for unusual JSON deserialization errors.

Check Version:

Copy

Check OnBase administration console or server properties for version information

Verify Fix Applied:

Copy

Verify OnBase version is above affected versions. Test that malicious JSON payloads no longer execute code.

📡 Detection & Monitoring

Log Indicators:

• Unusual JSON parsing errors
• Unexpected process creation from OnBase services
• Large or malformed JSON payloads in request logs

Network Indicators:

• Unusual outbound connections from OnBase servers
• Suspicious HTTP POST requests with JSON payloads to OnBase endpoints

SIEM Query:

Copy

source="onbase" AND ("JSON deserialization" OR "unexpected process" OR "malformed request")

📊 Metadata

CVE ID: CVE-2020-25260

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: September 11, 2020

Last Updated: November 21, 2024

🔗 References

• https://seclists.org/fulldisclosure/2020/Sep/22 Mailing List,Third Party Advisory
• https://seclists.org/fulldisclosure/2020/Sep/22 Mailing List,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25260, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)

CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)

CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)