CVE-2025-23367
📋 TL;DR
This vulnerability allows users with Monitor or Auditor roles in Wildfly Server to suspend or resume the server despite having only read permissions. It affects Wildfly Server deployments using Role Based Access Control (RBAC) provider for management operation authorization. The flaw occurs because Suspend and Resume handlers lack proper authorization checks.
💻 Affected Systems
- Wildfly Server
📦 What is this software?
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Wildfly by Redhat
Wildfly by Redhat
⚠️ Risk & Real-World Impact
Worst Case
An attacker with Monitor/Auditor access could disrupt server availability by suspending critical services, causing denial of service and potentially enabling further privilege escalation.
Likely Case
Authorized users with limited privileges could accidentally or intentionally suspend/resume servers, causing service disruption and violating least privilege principles.
If Mitigated
With proper network segmentation and monitoring, impact is limited to service disruption within the affected Wildfly instance.
🎯 Exploit Status
Exploitation requires existing user credentials with Monitor or Auditor role. No special tools needed - standard management interfaces can be used.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:3465
Restart Required: Yes
Instructions:
1. Review Red Hat advisories for applicable patches. 2. Apply security updates via your package manager. 3. Restart Wildfly Server services. 4. Verify authorization checks are now enforced.
🔧 Temporary Workarounds
Restrict Management Interface Access
linuxLimit network access to Wildfly management interfaces to authorized administrators only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="9990" accept'
firewall-cmd --reload
Temporary Role Modification
allTemporarily remove Suspend/Resume permissions from Monitor and Auditor roles
/subsystem=rbac:write-attribute(name=permission-combination-policy, value=rejecting)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Wildfly management interfaces
- Enhance monitoring and alerting for unauthorized suspend/resume operations
🔍 How to Verify
Check if Vulnerable:
Check if users with Monitor/Auditor roles can execute suspend/resume operations via management console or CLICheck Version:
jboss-cli.sh --version or check Wildfly server logs for version informationVerify Fix Applied:
After patching, verify that Monitor/Auditor role users receive authorization errors when attempting suspend/resume operations📡 Detection & Monitoring
Log Indicators:
- Unauthorized suspend/resume operations in Wildfly audit logs
- Authorization failures for Monitor/Auditor roles attempting management operations
Network Indicators:
- Management interface traffic from non-admin sources
- Unexpected suspend/resume API calls
SIEM Query:
source="wildfly" AND (event="suspend" OR event="resume") AND user_role="Monitor" OR user_role="Auditor"🔗 References
- https://access.redhat.com/errata/RHSA-2025:3465
- https://access.redhat.com/errata/RHSA-2025:3467
- https://access.redhat.com/errata/RHSA-2025:3989
- https://access.redhat.com/errata/RHSA-2025:3990
- https://access.redhat.com/errata/RHSA-2025:3992
- https://access.redhat.com/security/cve/CVE-2025-23367
- https://bugzilla.redhat.com/show_bug.cgi?id=2337620
- https://github.com/advisories/GHSA-qr6x-62gq-4ccp
