Main Vulnerability Database Vulnerabilities #VU118658

#VU118658 JNDI injection in DataEase - CVE-2025-64428

Published: November 21, 2025

Vulnerability identifier: #VU118658

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2025-64428

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
DataEase

Software vendor:
DataEase

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling JNDI commands passed via iiop, corbaname, and iiopname schemes. A remote user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h

#VU118658 JNDI injection in DataEase - CVE-2025-64428

Description

Remediation

External links

Please verify you're human