Login Sign Up

CVE-2025-64428

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a JNDI injection vulnerability in Dataease, an open-source data visualization tool. Attackers can exploit this to execute arbitrary code on affected systems by using iiop, corbaname, or iiopname schemes. All Dataease installations running versions before 2.10.17 are vulnerable.

💻 Affected Systems

Products:
  • Dataease
Versions: All versions prior to 2.10.17
Operating Systems: All platforms running Dataease
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability persists despite a blacklist patch in version 2.10.14 that was incomplete.

📦 What is this software?

Dataease by Dataease

View all CVEs affecting Dataease →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to deploy malware, establish persistence, and access sensitive data.

🟢

If Mitigated

Limited impact if network segmentation and strict egress filtering prevent JNDI callbacks to attacker-controlled servers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

JNDI injection is a well-known attack vector with established exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.17

Vendor Advisory: https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h

Restart Required: Yes

Instructions:

1. Backup your Dataease configuration and data. 2. Download version 2.10.17 from the official releases. 3. Stop the Dataease service. 4. Replace the installation with the patched version. 5. Restart the service.

🔧 Temporary Workarounds

Network Segmentation and Egress Filtering

all

Block outbound connections to prevent JNDI callbacks to malicious servers.

Disable JNDI Lookup

all

Configure Java security settings to disable JNDI lookups if supported by the application.

java -Dcom.sun.jndi.ldap.object.trustURLCodebase=false -Dcom.sun.jndi.rmi.object.trustURLCodebase=false

🧯 If You Can't Patch

  • Isolate the Dataease instance in a restricted network segment with no internet access.
  • Implement strict egress filtering to block all outbound connections from the Dataease server.

🔍 How to Verify

Check if Vulnerable:

Check the Dataease version via the web interface or configuration files. If version is below 2.10.17, the system is vulnerable.

Check Version:

Check the web interface or examine the application's version file if available.

Verify Fix Applied:

Confirm the version is 2.10.17 or higher and verify the patch commit b7e585c1cc3fc2b73cb289b8680b4b3914be3d53 is applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JNDI lookup patterns in application logs
  • Outbound connections to suspicious IPs/domains

Network Indicators:

  • Outbound LDAP/RMI/IIOP connections from Dataease server to unknown external hosts

SIEM Query:

source="dataease" AND (jndi OR ldap OR rmi OR iiop) AND (lookup OR connect)

📊 Metadata

CVE ID: CVE-2025-64428
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
EPSS Score: 0.08% exploit probability (22.5th percentile)
Published: November 20, 2025
Last Updated: November 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64428, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)