EUVD-2025-19054CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3Tags
Description
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
Analysis
CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.
Technical Context
The vulnerability stems from unsafe Java deserialization practices (CWE-502) in the NAVIS N4 ULC application. Java deserialization attacks occur when an application deserializes untrusted data without proper validation, allowing attackers to instantiate arbitrary objects and trigger malicious code execution through gadget chains in available libraries. NAVIS N4 is a port terminal operating system component used in maritime logistics and container management. The Ultra Light Client (ULC) variant is designed for lightweight client-server communication, making it accessible from external networks. The vulnerability likely exists in the serialization/deserialization layer used for client-server communication protocols, potentially involving RMI (Remote Method Invocation), JMX, or custom serialization handlers. CPE identifiers would typically follow the pattern: cpe:2.3:a:kaleris:navis_n4_ulc:*. The attack does not require authentication, indicating the deserialization occurs before user validation checks.
Affected Products
Kaleris NAVIS N4 ULC (Ultra Light Client) - all versions with unsafe deserialization in network communication handlers. Specific version information would be provided in vendor advisories. Expected CPE: cpe:2.3:a:kaleris:navis_n4_ulc:*:*:*:*:*:*:*:*. The vulnerability likely affects N4 versions released prior to a specific patch date. Maritime organizations, port terminals, freight forwarding companies, and container logistics providers using NAVIS N4 ULC for operations are in scope. No configuration variants appear to exclude vulnerability—all network-accessible deployments are at risk.
Remediation
Immediate actions: (1) Identify all systems running NAVIS N4 ULC and verify versions against Kaleris security advisory; (2) Apply vendor-supplied patches immediately when available from Kaleris support channels; (3) If patching is not immediately possible, implement network segmentation to restrict access to NAVIS N4 ULC ports to only authorized internal systems using firewall rules; (4) Monitor network traffic for suspicious serialization payloads or Java gadget chain indicators; (5) Implement Web Application Firewalls (WAF) or intrusion detection systems (IDS) with rules detecting Java deserialization attack patterns if network isolation is not feasible; (6) Review audit logs for any indicators of compromise (unusual process execution, outbound connections from application servers). Contact Kaleris directly for patch availability and deployment timelines. Workarounds are limited due to the fundamental nature of the vulnerability—patching is the primary remediation path.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today