CVE-2025-57738

CWE-6534 documents4 sources

Severity

7.2HIGH

EPSS

0.1%

top 73.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Syncope Apache Software Foundation Apache Syncope

Timeline

PublishedOct 20

Description

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a runnin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.syncope.core:syncope-core-spring4.0.0-M0 — 4.0.2+1

▶NVDapache/syncope2.1.0 — 3.0.14+1

▶CVEListV5apache_software_foundation/apache_syncope2.1 — 2.1.14+2

🔴Vulnerability Details

CVEList

Apache Syncope: Remote Code Execution by delegated administrators↗2025-10-20

▶

GHSA

Apache Syncope allows malicious administrators to inject Groovy code↗2025-10-20

▶

OSV

Apache Syncope allows malicious administrators to inject Groovy code↗2025-10-20

▶