CVE-2025-11538 | THREATINT

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

PUBLISHED Reserved 2025-10-09 | Published 2025-11-13 | Updated 2025-12-19 | Assigner redhat

MEDIUM: 6.8CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

Binding to an Unrestricted IP Address

Product status

Default status

unaffected

Any version before 26.4.4

affected

Default status

affected

26.4.4-1 (rpm) before *

unaffected

Default status

affected

26.4-3 (rpm) before *

unaffected

Default status

affected

26.4-3 (rpm) before *

unaffected

Default status

unaffected

Timeline

2025-10-09:	Reported to Red Hat.
2025-11-13:	Made public.

Credits

This issue was discovered by Steven Hawkins (Red Hat).

References

access.redhat.com/errata/RHSA-2025:21370 (RHSA-2025:21370) vendor-advisory

access.redhat.com/errata/RHSA-2025:21371 (RHSA-2025:21371) vendor-advisory

access.redhat.com/security/cve/CVE-2025-11538 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2402622 (RHBZ#2402622) issue-tracking

github.com/...ommit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9

github.com/keycloak/keycloak/pull/43574

cve.org (CVE-2025-11538)

nvd.nist.gov (CVE-2025-11538)

Download JSON

help @ threatint.eu