CVE-2025-11538

medium

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2025:21371

https://access.redhat.com/errata/RHSA-2025:21370

https://bugzilla.redhat.com/show_bug.cgi?id=2402622

https://access.redhat.com/security/cve/CVE-2025-11538

Details

Source: Mitre, NVD

Published: 2025-11-13

Updated: 2025-11-14

Risk Information

CVSS v2

Base Score: 6.2

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 6.8

Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00021