What is the CVSS score of CVE-2021-35464?

CVE-2021-35464 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Is there a public PoC exploit available for CVE-2021-35464?

Yes, a public proof-of-concept exploit is available for CVE-2021-35464. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2021-35464?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Restrict deserialization to trusted data sources and implement integrity checks.

CVE-2021-35464

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2021-07-22 cve@mitre.org

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Nov 05, 2025 - 19:11 cisa

CISA KEV

PoC Detected

Nov 05, 2025 - 19:11 vuln.today

Public exploit code

CVE Published

Jul 22, 2021 - 18:15 nvd

CRITICAL 9.8

DescriptionNVD

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

AnalysisAI

ForgeRock AM (Access Management) before version 7.0 contains a Java deserialization vulnerability in the jato.pageSession parameter enabling unauthenticated remote code execution via a single HTTP request.

Technical ContextAI

The CWE-502 deserialization flaw in the jato.pageSession parameter processes untrusted serialized Java objects. ForgeRock AM inherits the Sun ONE/OpenSSO framework's session serialization, which uses Java's default ObjectInputStream without class filtering, allowing gadget chain exploitation.

Affected ProductsAI

ForgeRock AM server before 7.0 OpenAM-based deployments

RemediationAI

Upgrade to ForgeRock AM 7.0+. Apply the provided security patch for older versions. Monitor for exploitation indicators in access logs (unusual requests to /ccversion/). Restrict access to AM administrative endpoints.

CVE-2021-35464 vulnerability details – vuln.today

Back

CVE-2021-35464

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code