CVE-2025-11538
📋 TL;DR
A vulnerability in Keycloak's server distribution exposes the Java Debug Wire Protocol (JDWP) port to all network interfaces when debug mode is enabled, allowing attackers on the same network segment to attach remote debuggers and execute arbitrary code within the Keycloak Java virtual machine. This affects Keycloak deployments where debug mode is enabled via the --debug flag. Organizations running Keycloak with debug mode enabled are at risk.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution within the Keycloak JVM, allowing complete compromise of the Keycloak server, access to authentication secrets, and potential lateral movement to connected systems.
Likely Case
Attackers on the same network segment can execute arbitrary code, potentially stealing sensitive authentication data, modifying user permissions, or disrupting authentication services.
If Mitigated
Minimal impact if debug mode is disabled or properly secured with network controls; debug functionality remains available only to authorized administrators.
🎯 Exploit Status
Exploitation requires network access to the debug port; standard JDWP debugging tools can be used for exploitation without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions fixed in RHSA-2025:21370 and RHSA-2025:21371
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:21370
Restart Required: Yes
Instructions:
1. Update Keycloak to the patched version from Red Hat advisories. 2. Restart the Keycloak service. 3. Verify debug mode binds only to localhost if enabled.
🔧 Temporary Workarounds
Disable Debug Mode
allRemove --debug flag from startup arguments to completely eliminate the vulnerability
Check Keycloak startup scripts and remove any '--debug' arguments
Restrict Debug Port with Firewall
linuxBlock access to JDWP port (default 8787) from unauthorized networks
iptables -A INPUT -p tcp --dport 8787 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8787 -j DROP
🧯 If You Can't Patch
- Disable debug mode immediately by removing --debug flag from all Keycloak instances
- Implement strict network segmentation to isolate Keycloak servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if Keycloak is running with --debug flag: ps aux | grep keycloak | grep --debugCheck Version:
keycloak.sh --version or check Keycloak admin console versionVerify Fix Applied:
Verify debug port binds only to localhost: netstat -tlnp | grep 8787 (should show 127.0.0.1:8787 not 0.0.0.0:8787)📡 Detection & Monitoring
Log Indicators:
- JDWP listening on all interfaces
- Debug mode enabled warnings
- Unexpected connections to debug port
Network Indicators:
- Network scans targeting port 8787
- JDWP protocol traffic from unauthorized sources
SIEM Query:
source_port:8787 OR dest_port:8787 AND NOT src_ip:127.0.0.1🔗 References
- https://access.redhat.com/errata/RHSA-2025:21370
- https://access.redhat.com/errata/RHSA-2025:21371
- https://access.redhat.com/security/cve/CVE-2025-11538
- https://bugzilla.redhat.com/show_bug.cgi?id=2402622
- https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9
- https://github.com/keycloak/keycloak/pull/43574
