cbcvebase.
CVE-2025-2566
published 2025-06-24

CVE-2025-2566: Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted…

PriorityP261critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.53%
40.9th percentile
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
kalerisnavis_n4< 4.04.0

Detection & IOCsextracted from sources · hover to see the quote

  • Block Ultra Light Client URL patterns at the load balancer or firewall to disable the vulnerable ULC endpoint
  • The vulnerable component communicates via zlib-compressed data over HTTP; monitor for unencrypted HTTP traffic between ULC clients and N4 servers as an indicator of exposure
  • The vulnerability is an unsafe Java deserialization flaw reachable without authentication; detect specially crafted deserialization payloads in HTTP requests targeting the ULC endpoint (/ulc or *.jnlp paths)
  • ·The Ultra Light Client endpoint can be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file; this is a manual server-side configuration change
  • ·TLS must be implemented at the load balancer level; the setup is documented in the Application Security Guide provided to all users
  • ·Upgrading to N4 4.0 fully removes the vulnerable Ultra Light Client component, replacing it with an HTML UI
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.