Keycloak < 26.4.4 Debug Mode JDWP Port Exposure (CVE-2025-11538)

The version of Keycloak installed on the remote host is prior to 26.4.4. It is, therefore, affected by a Port Exposure vulnerability: - A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port ...

CVE-2025-11538

Keycloak is affected by CVE-2025-11538 in versions prior to 26.4.4 where enabling debug mode (--debug) binds the JDWP port to all interfaces (0.0.0.0), exposing the debug port on the local network. This potentially allows a local-network attacker to attach a remote debugger and achieve remote cod...

maobugs

maobugs 喵喵喵 1.samples-web-1.2.4.war 为 shiro =1.2.4 硬编码漏洞的war包。说实在这个war真的是难打... 2.jdwp-shellifier-master.zip 自己调试的话使用 java -Xdebug -Xrunjdwp:transport=dtsocket,server=y,suspend=n,address=5005 -jar spring-boot-h2-0.0.1-SNAPSHOT.jar 打开jdwp端口 jdwp 端口开启了的话就能被rce ,详情解压文件readme。 这里并不是无条件rce。...