CVE-2025-26074
📋 TL;DR
CVE-2025-26074 is a critical remote code execution vulnerability in Orkes Conductor that allows attackers to execute arbitrary operating system commands through unrestricted access to Java classes. This affects all organizations running vulnerable versions of Orkes Conductor, potentially leading to complete system compromise.
💻 Affected Systems
- Orkes Conductor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining root/admin privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthorized remote code execution leading to service disruption, data theft, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least privilege access controls are implemented, though RCE still poses significant risk.
🎯 Exploit Status
Public proof-of-concept demonstrates exploitation via inline JavaScript injection in ScriptEvaluator.java class.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.21.12 or later
Vendor Advisory: https://github.com/conductor-oss/conductor/security/advisories
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop Conductor service. 3. Update to v3.21.12 or later. 4. Restart Conductor service. 5. Verify functionality.
🔧 Temporary Workarounds
Disable ScriptEvaluator Endpoint
allTemporarily disable or restrict access to the vulnerable ScriptEvaluator endpoint
# Configure firewall rules to block access to /api/script endpoint
# Modify application configuration to disable script evaluation features
Network Segmentation
allIsolate Conductor instances from sensitive systems and restrict network access
# Implement firewall rules to limit Conductor network connectivity
# Use network segmentation to contain potential compromise
🧯 If You Can't Patch
- Implement strict network access controls and isolate Conductor instances
- Deploy web application firewall with RCE protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Conductor version - if running v3.21.11 or earlier, assume vulnerable. Review logs for suspicious script evaluation requests.Check Version:
curl -s http://conductor-host:port/health | grep version or check application logs for version informationVerify Fix Applied:
Verify Conductor version is v3.21.12 or later. Test that script evaluation functionality works correctly with proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual script evaluation requests
- Java class loading errors
- Suspicious process execution from Conductor context
Network Indicators:
- Unexpected outbound connections from Conductor server
- Traffic to /api/script endpoint with malicious payloads
SIEM Query:
source="conductor.logs" AND ("ScriptEvaluator" OR "java.lang.Runtime" OR "ProcessBuilder")