A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.
Security readout for executives and security teams
Plain-English summary
CVE-2025-2251 affects WildFly/JBoss EAP EJB remote invocation handling. A crafted serialized object may lead to remote code execution. Business urgency depends on whether affected JBoss EAP/WildFly systems expose EJB remote invocation. Red Hat rates it medium, but RCE impact warrants timely validation and patch planning.
Executive priority
Treat as a near-term remediation item, especially for business-critical JBoss EAP systems. It is not currently KEV-backed in the supplied sources, but possible RCE in application infrastructure justifies prompt inventory, exposure reduction, and vendor update deployment.
Technical view
The flaw is CWE-502 improper deserialization in JBoss Marshalling used by WildFly EJB3 remote invocation. Red Hat lists JBoss EAP 7.4 package builds for RHEL 8 and 9 as affected and published multiple RHSAs. Source data is inconsistent: the description says unauthenticated RCE, while the CVSS vector states PR:H and AC:H.
Likely exposure
Most relevant exposure is Red Hat JBoss EAP 7.4 on RHEL 8 or 9 with affected eap7 packages, and WildFly deployments using EJB remote invocation. Internet-facing or broadly reachable EJB remote services raise priority. Systems not using EJB remote invocation may have lower practical exposure.
Exploitation context
No CISA KEV listing is provided, and the source bundle does not show confirmed active exploitation. Exploitation involves sending crafted serialized data to the EJB remote invocation mechanism. Public evidence here does not provide reliable detail on required privileges because the narrative and CVSS vector conflict.
Researcher notes
Focus on confirming affected package versions and EJB remote invocation exposure. Note the important data inconsistency between unauthenticated wording and CVSS PR:H. Avoid assuming exploitability conditions beyond the vendor sources. Use Red Hat advisories and WildFly change references for fix correlation.
Mitigation direction
Apply applicable Red Hat RHSA updates for affected JBoss EAP 7.4 packages.
Review Red Hat CVE guidance for exact fixed package versions.
For community WildFly, review WildFly 36.0.0.Final and PR 18872.
Restrict network access to EJB remote invocation interfaces while remediation is pending.
Disable unused EJB remote invocation exposure where operationally feasible.
Validation and detection
Inventory JBoss EAP 7.4 and WildFly deployments.
Identify RHEL 8 or 9 systems with listed eap7 packages.
Compare installed package versions against relevant Red Hat advisories.
Determine whether EJB remote invocation is enabled and reachable.
Prioritize externally reachable or cross-trust-zone EJB endpoints.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
13Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.