LiveActive security incident?Get immediate response
CVE Record

CVE-2025-2251: Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

MediumCVSS 6.2Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-2251 affects WildFly/JBoss EAP EJB remote invocation handling. A crafted serialized object may lead to remote code execution. Business urgency depends on whether affected JBoss EAP/WildFly systems expose EJB remote invocation. Red Hat rates it medium, but RCE impact warrants timely validation and patch planning.

Executive priority

Treat as a near-term remediation item, especially for business-critical JBoss EAP systems. It is not currently KEV-backed in the supplied sources, but possible RCE in application infrastructure justifies prompt inventory, exposure reduction, and vendor update deployment.

Technical view

The flaw is CWE-502 improper deserialization in JBoss Marshalling used by WildFly EJB3 remote invocation. Red Hat lists JBoss EAP 7.4 package builds for RHEL 8 and 9 as affected and published multiple RHSAs. Source data is inconsistent: the description says unauthenticated RCE, while the CVSS vector states PR:H and AC:H.

Likely exposure

Most relevant exposure is Red Hat JBoss EAP 7.4 on RHEL 8 or 9 with affected eap7 packages, and WildFly deployments using EJB remote invocation. Internet-facing or broadly reachable EJB remote services raise priority. Systems not using EJB remote invocation may have lower practical exposure.

Exploitation context

No CISA KEV listing is provided, and the source bundle does not show confirmed active exploitation. Exploitation involves sending crafted serialized data to the EJB remote invocation mechanism. Public evidence here does not provide reliable detail on required privileges because the narrative and CVSS vector conflict.

Researcher notes

Focus on confirming affected package versions and EJB remote invocation exposure. Note the important data inconsistency between unauthenticated wording and CVSS PR:H. Avoid assuming exploitability conditions beyond the vendor sources. Use Red Hat advisories and WildFly change references for fix correlation.

Mitigation direction

  • Apply applicable Red Hat RHSA updates for affected JBoss EAP 7.4 packages.
  • Review Red Hat CVE guidance for exact fixed package versions.
  • For community WildFly, review WildFly 36.0.0.Final and PR 18872.
  • Restrict network access to EJB remote invocation interfaces while remediation is pending.
  • Disable unused EJB remote invocation exposure where operationally feasible.

Validation and detection

  • Inventory JBoss EAP 7.4 and WildFly deployments.
  • Identify RHEL 8 or 9 systems with listed eap7 packages.
  • Compare installed package versions against relevant Red Hat advisories.
  • Determine whether EJB remote invocation is enabled and reachable.
  • Prioritize externally reachable or cross-trust-zone EJB endpoints.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-2251 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.2 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.2CVSS 3.1MediumCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H0.75.5redhat

Vulnerability scoring details

Base CVSS 3.1 score

6.2Medium
CVSS 3.1 vector shape for CVE-2025-2251Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineredhat

    Reported to Red Hat.

  2. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  3. Source timelineredhat

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Unknown vendorwildflywildfly, 0unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4.23wildfly-ejb3unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-activemq-artemis, 0:2.16.0-21.redhat_00055.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-apache-cxf, 0:3.5.10-1.redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-artemis-native, 1:1.0.2-5.redhat_00004.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-elytron-web, 0:1.9.6-1.Final_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-glassfish-jsf, 0:2.3.14-9.SP10_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-hal-console, 0:3.3.27-1.Final_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-hibernate-validator, 0:6.0.23-3.SP2_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-ironjacamar, 0:1.5.21-1.Final_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-jboss-server-migration, 0:1.10.0-42.Final_redhat_00042.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-jbossws-cxf, 0:5.4.15-1.Final_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-wildfly, 0:7.4.23-3.GA_redhat_00002.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-wildfly-elytron, 0:1.15.26-1.Final_redhat_00001.1.el8eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-activemq-artemis, 0:2.16.0-21.redhat_00055.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-apache-cxf, 0:3.5.10-1.redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-artemis-native, 1:1.0.2-5.redhat_00004.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-elytron-web, 0:1.9.6-1.Final_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-glassfish-jsf, 0:2.3.14-9.SP10_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-hal-console, 0:3.3.27-1.Final_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-hibernate-validator, 0:6.0.23-3.SP2_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-ironjacamar, 0:1.5.21-1.Final_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-jboss-server-migration, 0:1.10.0-42.Final_redhat_00042.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-jbossws-cxf, 0:5.4.15-1.Final_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-wildfly, 0:7.4.23-3.GA_redhat_00002.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-wildfly-elytron, 0:1.15.26-1.Final_redhat_00001.1.el9eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-activemq-artemis, 0:2.16.0-21.redhat_00055.1.el7eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-apache-cxf, 0:3.5.10-1.redhat_00001.1.el7eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-artemis-native, 1:1.0.2-5.redhat_00004.1.el7eapaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-elytron-web, 0:1.9.6-1.Final_redhat_00001.1.el7eapaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-502 · source CWE mapping

Deserialization of Untrusted Data

Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.