CVE-2025-63617 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2025-63617?

CVE-2025-63617 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows remote code execution through unsafe fastjson deserialization in ktg-mes systems. Attackers can exploit this by sending malicious serialized data to vulnerable endpoints. Organizations using ktg-mes versions before commit a484f96 (2025-07-03) are affected.

📋 TL;DR

This vulnerability allows remote code execution through unsafe fastjson deserialization in ktg-mes systems. Attackers can exploit this by sending malicious serialized data to vulnerable endpoints. Organizations using ktg-mes versions before commit a484f96 (2025-07-03) are affected.

💻 Affected Systems

Products:

ktg-mes

Versions: All versions before commit a484f96 (2025-07-03)

Operating Systems: Any OS running ktg-mes

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when ktg-mes processes untrusted input via fastjson deserialization.

📦 What is this software?

Ktg Mes by Kutangguo

View all CVEs affecting Ktg Mes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to service disruption, data exfiltration, or deployment of malware.

🟢

If Mitigated

Limited impact with proper input validation and network segmentation, potentially only denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Fastjson vulnerabilities are well-documented and frequently exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit a484f96 or later (2025-07-03+)

Vendor Advisory: https://github.com/ChangeYourWay/post/blob/main/ktg-mes.md

Restart Required: Yes

Instructions:

1. Update ktg-mes to commit a484f96 or later. 2. Restart the ktg-mes service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject unexpected JSON structures

# Configure application to validate JSON input before deserialization
# Use allowlists for expected JSON structures

Network Segmentation

linux

Restrict network access to ktg-mes endpoints

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port port="APP_PORT" protocol="tcp" accept'
# iptables -A INPUT -p tcp --dport APP_PORT -s TRUSTED_IP -j ACCEPT

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Deploy web application firewall with JSON deserialization protection rules

🔍 How to Verify

Check if Vulnerable:

Check ktg-mes version/commit hash against vulnerable range (before a484f96)

Check Version:

git log --oneline -1 # or check application version output

Verify Fix Applied:

Confirm ktg-mes is running commit a484f96 or later and test with safe deserialization inputs

📡 Detection & Monitoring

Log Indicators:

Unusual JSON payloads in application logs
Stack traces containing fastjson deserialization errors
Unexpected process spawns

Network Indicators:

Malformed JSON requests to ktg-mes endpoints
Unusual outbound connections from ktg-mes server

SIEM Query:

source="ktg-mes.log" AND ("fastjson" OR "deserialization" OR "JSON.parse")

📊 Metadata

CVE ID: CVE-2025-63617

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-502

EPSS Score: 0.06% exploit probability (18.4th percentile)

Published: November 10, 2025

Last Updated: February 5, 2026

🔗 References

https://gist.github.com/ChangeYourWay/8651679a2155269bccf520fcb34fc661 Third Party Advisory
https://github.com/ChangeYourWay/post/blob/main/ktg-mes.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63617, you might also want to check these: