CVE-2025-2566
published 2025-06-24CVE-2025-2566: Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted…
PriorityP261critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.53%
40.9th percentile
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaleris | navis_n4 | < 4.0 | 4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Block Ultra Light Client URL patterns at the load balancer or firewall to disable the vulnerable ULC endpoint ↗
- →The vulnerable component communicates via zlib-compressed data over HTTP; monitor for unencrypted HTTP traffic between ULC clients and N4 servers as an indicator of exposure ↗
- →The vulnerability is an unsafe Java deserialization flaw reachable without authentication; detect specially crafted deserialization payloads in HTTP requests targeting the ULC endpoint (/ulc or *.jnlp paths) ↗
- ·The Ultra Light Client endpoint can be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file; this is a manual server-side configuration change ↗
- ·TLS must be implemented at the load balancer level; the setup is documented in the Application Security Guide provided to all users ↗
- ·Upgrading to N4 4.0 fully removes the vulnerable Ultra Light Client component, replacing it with an HTML UI ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8jgr-qfg7-w699: Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability
ghsa_unreviewed·2025-06-24
CVE-2025-2566 [CRITICAL] CWE-502 GHSA-8jgr-qfg7-w699: Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
CISA ICS
Kaleris Navis N4 Terminal Operating System
cisa_ics·2025-06-24·CVSS 9.3
[CRITICAL] Kaleris Navis N4 Terminal Operating System
ICS Advisory
##
Kaleris Navis N4 Terminal Operating System
Release DateJune 24, 2025
Alert CodeICSA-25-175-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Kaleris
- Equipment: Navis N4
- Vulnerabilities: Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to remotely exploit the operating system, achieve remote code execution, or extract sensitive information.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Kaleris Navis N4, a terminal operating sy
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-24
Published