Login Sign Up

CVE-2025-48913

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in Apache CXF allows untrusted users who can configure JMS endpoints to use RMI or LDAP URLs, potentially leading to remote code execution. Systems where untrusted users have JMS configuration access are affected. The vulnerability has been patched in newer versions.

💻 Affected Systems

Products:
  • Apache CXF
Versions: All versions before 3.6.8, 4.0.9, and 4.1.3
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when untrusted users are allowed to configure JMS endpoints. Default configurations may not expose this vulnerability.

📦 What is this software?

Cxf by Apache

View all CVEs affecting Cxf →

Cxf by Apache

View all CVEs affecting Cxf →

Cxf by Apache

View all CVEs affecting Cxf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to execute arbitrary code on the server.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or lateral movement within the network.

🟢

If Mitigated

No impact if proper access controls prevent untrusted users from configuring JMS endpoints.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires JMS configuration access. The vulnerability leverages RMI/LDAP deserialization attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.8, 4.0.9, or 4.1.3

Vendor Advisory: https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83

Restart Required: Yes

Instructions:

1. Download Apache CXF version 3.6.8, 4.0.9, or 4.1.3 from official sources. 2. Replace existing CXF libraries with patched versions. 3. Restart all services using Apache CXF. 4. Verify the fix by checking version and testing JMS configuration restrictions.

🔧 Temporary Workarounds

Restrict JMS Configuration Access

all

Prevent untrusted users from configuring JMS endpoints through access controls.

Network Segmentation

all

Block outbound RMI and LDAP connections from affected systems at network level.

🧯 If You Can't Patch

  • Implement strict access controls to prevent untrusted users from configuring JMS endpoints.
  • Deploy network filtering to block RMI and LDAP traffic from affected systems.

🔍 How to Verify

Check if Vulnerable:

Check if untrusted users can configure JMS endpoints and if Apache CXF version is below 3.6.8, 4.0.9, or 4.1.3.

Check Version:

Check CXF version in application logs, configuration files, or via API if exposed.

Verify Fix Applied:

Verify Apache CXF version is 3.6.8, 4.0.9, or 4.1.3 and test that RMI/LDAP URLs are rejected in JMS configuration.

📡 Detection & Monitoring

Log Indicators:

  • JMS configuration attempts with RMI or LDAP URLs
  • Unexpected deserialization errors

Network Indicators:

  • Outbound RMI or LDAP connections from CXF servers
  • Unusual network traffic to JMS endpoints

SIEM Query:

source="cxf" AND (url="*rmi://*" OR url="*ldap://*")

📊 Metadata

CVE ID: CVE-2025-48913
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
EPSS Score: 0.13% exploit probability (32.1th percentile)
Published: August 8, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48913, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)