CVE-2025-2566 - Vulnerability Details - OpenCVE

Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01

History

Tue, 24 Jun 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Jun 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description		Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
Title		Deserialization of Untrusted Data in Kaleris Navis N4
Weaknesses		CWE-502
References		https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2025-06-24T18:27:21.479Z

Updated: 2025-06-24T18:47:46.713Z

Reserved: 2025-03-20T16:48:15.650Z

Link: CVE-2025-2566

Vulnrichment

Updated: 2025-06-24T18:47:42.879Z

NVD

Status : Awaiting Analysis

Published: 2025-06-24T19:15:23.520

Modified: 2025-06-26T18:58:14.280

Link: CVE-2025-2566

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2566", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-20T16:48:15.650Z", "datePublished": "2025-06-24T18:27:21.479Z", "dateUpdated": "2025-06-24T18:47:46.713Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Navis N4", "vendor": "Kaleris", "versions": [{"lessThan": "4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2025-06-24T18:23:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.</p><br>"}], "value": "Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-06-24T18:27:21.479Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Kaleris recommends users to implement the following versions or later:</p><ul><li>Navis N4: Version 3.1.44+</li><li>Navis N4: Version 3.2.26+</li><li>Navis N4: Version 3.3.27+</li><li>Navis N4: Version 3.4.25+</li><li>Navis N4: Version 3.5.18+</li><li>Navis N4: Version 3.6.14+</li><li>Navis N4: Version 3.7.0+</li><li>Navis N4: Version 3.8.0+</li></ul><p>If users are unable to update, Kaleris recommends following these mitigations:</p><ul><li>If N4 does not need to be exposed to the internet, placing it behind a firewall.</li><li>If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp</url-pattern\" and \"url-pattern/ulc</url-pattern\"</li><li>The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.</li><li>If the Ultra Light Client must be exposed to the Internet, do one of the following:<br>a. Set up a secure VPN connection to allow access for known external parties.<br>b. Set up an authenticated jump system (Citrix, VDI, Etc.).<br>c. Whitelist external allowed IPs. (least secure option)</li><li>Additionally, the following controls should be applied:<br>a. Restrict the number of N4 nodes exposed to the internet.<br>b. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.<br>c. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.</li><li>Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.</li><li>A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.</li></ul><p>Kaleris has sent a security advisory to all customers running Kaleris software.</p><p>For more information, users should email <a target=\"_blank\" rel=\"nofollow\">security@kaleris.com</a></p>\n\n<br>"}], "value": "Kaleris recommends users to implement the following versions or later:\n\n * Navis N4: Version 3.1.44+\n * Navis N4: Version 3.2.26+\n * Navis N4: Version 3.3.27+\n * Navis N4: Version 3.4.25+\n * Navis N4: Version 3.5.18+\n * Navis N4: Version 3.6.14+\n * Navis N4: Version 3.7.0+\n * Navis N4: Version 3.8.0+\n\n\nIf users are unable to update, Kaleris recommends following these mitigations:\n\n * If N4 does not need to be exposed to the internet, placing it behind a firewall.\n * If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp</url-pattern\" and \"url-pattern/ulc</url-pattern\"\n * The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\n * If the Ultra Light Client must be exposed to the Internet, do one of the following:\na. Set up a secure VPN connection to allow access for known external parties.\nb. Set up an authenticated jump system (Citrix, VDI, Etc.).\nc. Whitelist external allowed IPs. (least secure option)\n * Additionally, the following controls should be applied:\na. Restrict the number of N4 nodes exposed to the internet.\nb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\nc. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\n * Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\n * A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\n\n\nKaleris has sent a security advisory to all customers running Kaleris software.\n\nFor more information, users should email security@kaleris.com"}], "source": {"discovery": "UNKNOWN"}, "title": "Deserialization of Untrusted Data in Kaleris Navis N4", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T18:47:18.544221Z", "id": "CVE-2025-2566", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T18:47:46.713Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2566", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-24T18:47:18.544221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T18:47:42.879Z"}}], "cna": {"title": "Deserialization of Untrusted Data in Kaleris Navis N4", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kaleris", "product": "Navis N4", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Kaleris recommends users to implement the following versions or later:\n\n * Navis N4: Version 3.1.44+\n * Navis N4: Version 3.2.26+\n * Navis N4: Version 3.3.27+\n * Navis N4: Version 3.4.25+\n * Navis N4: Version 3.5.18+\n * Navis N4: Version 3.6.14+\n * Navis N4: Version 3.7.0+\n * Navis N4: Version 3.8.0+\n\n\nIf users are unable to update, Kaleris recommends following these mitigations:\n\n * If N4 does not need to be exposed to the internet, placing it behind a firewall.\n * If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp</url-pattern\" and \"url-pattern/ulc</url-pattern\"\n * The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\n * If the Ultra Light Client must be exposed to the Internet, do one of the following:\na. Set up a secure VPN connection to allow access for known external parties.\nb. Set up an authenticated jump system (Citrix, VDI, Etc.).\nc. Whitelist external allowed IPs. (least secure option)\n * Additionally, the following controls should be applied:\na. Restrict the number of N4 nodes exposed to the internet.\nb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\nc. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\n * Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\n * A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\n\n\nKaleris has sent a security advisory to all customers running Kaleris software.\n\nFor more information, users should email security@kaleris.com", "supportingMedia": [{"type": "text/html", "value": "<p>Kaleris recommends users to implement the following versions or later:</p><ul><li>Navis N4: Version 3.1.44+</li><li>Navis N4: Version 3.2.26+</li><li>Navis N4: Version 3.3.27+</li><li>Navis N4: Version 3.4.25+</li><li>Navis N4: Version 3.5.18+</li><li>Navis N4: Version 3.6.14+</li><li>Navis N4: Version 3.7.0+</li><li>Navis N4: Version 3.8.0+</li></ul><p>If users are unable to update, Kaleris recommends following these mitigations:</p><ul><li>If N4 does not need to be exposed to the internet, placing it behind a firewall.</li><li>If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp</url-pattern\" and \"url-pattern/ulc</url-pattern\"</li><li>The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.</li><li>If the Ultra Light Client must be exposed to the Internet, do one of the following:<br>a. Set up a secure VPN connection to allow access for known external parties.<br>b. Set up an authenticated jump system (Citrix, VDI, Etc.).<br>c. Whitelist external allowed IPs. (least secure option)</li><li>Additionally, the following controls should be applied:<br>a. Restrict the number of N4 nodes exposed to the internet.<br>b. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.<br>c. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.</li><li>Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.</li><li>A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.</li></ul><p>Kaleris has sent a security advisory to all customers running Kaleris software.</p><p>For more information, users should email <a target=\"_blank\" rel=\"nofollow\">security@kaleris.com</a></p>\n\n<br>", "base64": false}]}], "datePublic": "2025-06-24T18:23:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.", "supportingMedia": [{"type": "text/html", "value": "<p>Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-06-24T18:27:21.479Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2566", "state": "PUBLISHED", "dateUpdated": "2025-06-24T18:47:46.713Z", "dateReserved": "2025-03-20T16:48:15.650Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-06-24T18:27:21.479Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server."}, {"lang": "es", "value": "Kaleris NAVIS N4 ULC (Cliente Ultraligero) contiene una vulnerabilidad de deserializaci\u00f3n de Java insegura. Un atacante no autenticado puede realizar solicitudes especialmente manipuladas para ejecutar c\u00f3digo arbitrario en el servidor."}], "id": "CVE-2025-2566", "lastModified": "2025-06-26T18:58:14.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-06-24T19:15:23.520", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}