Insecure Deserialization
Insecure deserialization occurs when an application converts serialized data (a stream of bytes representing an object's state) back into a living object without proper validation.
How It Works
Insecure deserialization occurs when an application converts serialized data (a stream of bytes representing an object's state) back into a living object without proper validation. Serialization frameworks in languages like Java, PHP, Python, and .NET allow objects to be transformed into byte streams for storage or transmission, then reconstructed later. The vulnerability arises because deserialization can trigger code execution through the object's methods during reconstruction.
Attackers exploit this by crafting malicious serialized payloads containing specially chosen objects that chain together through "gadget chains" — sequences of method calls in existing application libraries. When the application deserializes the attacker's payload, it automatically invokes these methods in sequence, ultimately achieving arbitrary code execution. For example, in Java applications, an attacker might create a serialized object that, when deserialized, triggers a chain through Apache Commons Collections classes, ending in runtime command execution.
The attack typically begins with identifying an endpoint that accepts serialized data — often in cookies, API parameters, or message queue payloads. The attacker then uses tools like ysoserial (Java) or phpggc (PHP) to generate weaponized payloads targeting known gadget chains in the application's dependencies. Because deserialization happens automatically and often before any application logic executes, these attacks frequently bypass authentication and input validation.
Impact
- Remote code execution — attackers gain complete control of the server, executing arbitrary system commands
- Authentication bypass — deserializing manipulated user/session objects grants unauthorized access without credentials
- Privilege escalation — modifying serialized role or permission objects to gain administrative access
- Data exfiltration — reading sensitive files or database contents through executed code
- Denial of service — crafting objects that consume excessive memory or CPU during deserialization
Real-World Examples
SolarWinds Web Help Desk suffered two separate deserialization vulnerabilities in rapid succession. CVE-2025-40551 allowed unauthenticated attackers to achieve remote code execution by sending malicious serialized Java objects to the application. Even after patching, researchers discovered a second deserialization flaw in the same product, demonstrating how deeply embedded these vulnerabilities can be in application architectures.
Jenkins automation servers have experienced multiple Java deserialization vulnerabilities where attackers exploited the CLI protocol to send crafted objects, gaining full control over build servers. These attacks were particularly severe because Jenkins instances often have extensive network access and stored credentials for deploying applications.
WordPress and other PHP applications have faced attacks through unserialize() vulnerabilities in plugins, where attackers embedded malicious PHP objects in user-controllable data fields. Successful exploitation enabled attackers to install backdoors by writing arbitrary PHP files to the web root.
Mitigation
- Avoid deserializing untrusted data entirely — redesign systems to use data-only formats like JSON instead of native serialization
- Implement strict allowlists — configure deserialization libraries to only accept explicitly permitted classes, blocking all others
- Apply cryptographic signatures — sign serialized data and validate signatures before deserialization to ensure integrity
- Use isolated environments — deserialize in sandboxed processes with minimal privileges to contain potential exploitation
- Update vulnerable libraries — patch frameworks and remove dependencies with known gadget chains
- Monitor deserialization activity — log and alert on deserialization operations, especially from external sources
Recent CVEs (847)
PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.
PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.
A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Pickle deserialization RCE in pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3.
A vulnerability was detected in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GuanxingLu vlarl up to 31abc0baf53ef8f5db666a1c882e1ea64def2997. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Datart 1.0.0-rc.3 is vulnerable to Directory Traversal. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability.
Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support allows Object Injection.3.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress - ConveyThis allows Object Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in raoinfotech GSheets Connector allows Object Injection.1.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in jeecgboot JimuReport up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in h2oai h2o-3 up to 3.46.08. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.
Snipe-IT before 8.1.18 allows unsafe deserialization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures.
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Greenshot is an open source Windows screenshot utility. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Dataease is an open-source data visualization and analysis platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Dataease is an open source data analytics and visualization platform. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
A security flaw has been discovered in lmsys sglang 0.4.6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core allows Object Injection.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.5.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected engineering tool. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
DeepDiff is a project focused on Deep Difference and search of any Python data. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ExpressTech Systems Quiz And Survey Master allows Object Injection.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon allows Object Injection.0.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing.
Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition allows Object Injection.2.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Daylight Edition allows Object Injection.2.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - Day & Ross Edition allows Object Injection.1.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).0 through 9.3, from 10.0 through 10.4;. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
There is a deserialization of untrusted data vulnerability in Digilent DASYLab. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A deserialization vulnerability exists in the H2O-3 REST API (POST /99/ImportSQLTable) that affects all versions up to 3.46.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
A vulnerability in the h2oai/h2o-3 repository allows attackers to exploit deserialization of untrusted data, potentially leading to arbitrary code execution and reading of system files.47.0.99999. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection.4.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Object Injection.0.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection.1.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact allows Object Injection.0.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory - Staff Listing & Team Directory Plugin for WordPress allows Object Injection.5.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes - USPS Edition allows Object Injection.3.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection.2.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection.11.16. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection.3.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection.5.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection.1.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
N-able N-central before 2025.3.1 contains a deserialization vulnerability allowing local code execution through crafted serialized data.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- web
- Total CVEs
- 847