What is the CVSS score of CVE-2025-2566?

CVE-2025-2566 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.7%.

Which versions of Java are affected by CVE-2025-2566?

Kaleris NAVIS N4 ULC contains a critical remote code execution vulnerability affecting unauthenticated users who can submit malicious requests to execute arbitrary code on production servers.. A patch is available.

How to fix or mitigate CVE-2025-2566?

Within 24 hours: Identify and isolate all NAVIS N4 ULC instances from external network access; coordinate with Kaleris for available patch version numbers and deployment timelines. Within 7 days: Apply vendor-released patch to all affected systems in staged production windows, prioritizing port-facing and customer-connected instances. Within 30 days: Complete patching of all NAVIS N4 ULC installations; implement network segmentation to restrict unauthenticated access to this application layer; conduct log review for exploitation attempts.

Java CVE-2025-2566

EUVD-2025-19054 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-24 ics-cert@hq.dhs.gov

Deserialization RCE Java

9.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:53 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.0

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19054

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

CVE Published

Jun 24, 2025 - 19:15 nvd

CRITICAL 9.3

DescriptionCVE.org

Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.

AnalysisAI

CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.

Technical ContextAI

The vulnerability stems from unsafe Java deserialization practices (CWE-502) in the NAVIS N4 ULC application. Java deserialization attacks occur when an application deserializes untrusted data without proper validation, allowing attackers to instantiate arbitrary objects and trigger malicious code execution through gadget chains in available libraries. NAVIS N4 is a port terminal operating system component used in maritime logistics and container management. The Ultra Light Client (ULC) variant is designed for lightweight client-server communication, making it accessible from external networks. The vulnerability likely exists in the serialization/deserialization layer used for client-server communication protocols, potentially involving RMI (Remote Method Invocation), JMX, or custom serialization handlers. CPE identifiers would typically follow the pattern: cpe:2.3:a:kaleris:navis_n4_ulc:*. The attack does not require authentication, indicating the deserialization occurs before user validation checks.

RemediationAI

Immediate actions: (1) Identify all systems running NAVIS N4 ULC and verify versions against Kaleris security advisory; (2) Apply vendor-supplied patches immediately when available from Kaleris support channels; (3) If patching is not immediately possible, implement network segmentation to restrict access to NAVIS N4 ULC ports to only authorized internal systems using firewall rules; (4) Monitor network traffic for suspicious serialization payloads or Java gadget chain indicators; (5) Implement Web Application Firewalls (WAF) or intrusion detection systems (IDS) with rules detecting Java deserialization attack patterns if network isolation is not feasible; (6) Review audit logs for any indicators of compromise (unusual process execution, outbound connections from application servers). Contact Kaleris directly for patch availability and deployment timelines. Workarounds are limited due to the fundamental nature of the vulnerability—patching is the primary remediation path.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-55773 HIGH This Week

8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers

CVE-2026-55772 HIGH This Week

8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH This Week

8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH This Week

7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

CVE-2025-2566 vulnerability details – vuln.today

Back