How to fix EUVD-2025-17641?

Within 24 hours: Audit Kafka cluster access logs for any AlterConfigs permission usage and review current SASL JAAS configurations for JndiLoginModule or LdapLoginModule entries. Within 7 days: Upgrade to Kafka 3.4.0+ or apply the system property disable flag (-Dorg.apache.kafka.disallowed.login.modules) to block vulnerable login modules; restrict AlterConfigs permissions to only trusted service accounts. Within 30 days: Complete full cluster upgrade to Kafka 3.9.1/4.0.0 where vulnerable modules are disabled by default, and implement network segmentation to limit Kafka cluster access.

Is Java affected by EUVD-2025-17641?

Apache Kafka brokers are vulnerable to remote code execution and denial of service attacks if an authenticated attacker with AlterConfigs permissions can modify SASL JAAS configurations.

EUVD-2025-17641

| CVE-2025-27819 HIGH

2025-06-10 [email protected]

GHSA-mcwh-c9pg-xw43

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17641

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 08:15 nvd

HIGH 7.5

Description

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

Analysis

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Technical Context

CWE-502 (Insecure Deserialization). CVSS 7.5 indicates high severity.

Affected Products

['Unspecified product']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +38

POC: 0

Vendor Status

Debian

Bug #786460

kafka

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2025-17641 vulnerability details – vuln.today

Back

EUVD-2025-17641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

EUVD-2025-17641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code