This disclosure was originally published by Chaitin Security Emergency Response Center.
About Author
Hi, my name is Sharon. I'm a product manager at Chaitin Tech. We build SafeLine, a high-performance open-source Web Application Firewall (WAF) that helps defend against real-world threats like code injection, web shells, and malicious bot traffic. While SafeLine focuses on HTTP traffic, we also track and respond to non-HTTP vulnerabilities that may affect our clientsβ environments.
In March 2025, Chaitin researchers discovered a critical remote code execution (RCE) vulnerability in Apusic Application Server (AAS) β an enterprise-grade JakartaEE-compatible middleware. The vulnerability stems from unsafe Java deserialization in the IIOP protocol and allows unauthenticated attackers to execute arbitrary code remotely.
Apusic has released a patch. Affected users are strongly advised to upgrade immediately.
Vulnerability Description
Root Cause
The vulnerability is caused by unsafe Java deserialization when the AAS server processes IIOP (Internet Inter-ORB Protocol) requests. The exposed IIOP service interface accepts serialized objects without proper validation, allowing attackers to send crafted malicious payloads that trigger remote code execution.
Impact
- Remote Code Execution (RCE): Attackers can run arbitrary commands on the server.
- Full Server Compromise: May lead to backdoor installation, data theft, or lateral movement.
Risk Summary
| Category | Detail |
|---|---|
| Priority | High |
| Vulnerability Type | Java Deserialization |
| Severity | High |
| Trigger | Remote network access |
| Authentication | Not required |
| System Config | Exploitable with default settings |
| User Interaction | Not required |
| Exploit Availability | Public PoC/Exploit available |
| Fix Complexity | Low (official patch available) |
Affected Versions
- Apusic Application Server v10.0 Enterprise Edition SP1 to SP8
Mitigation & Fixes
Temporary Workaround
Restrict IIOP port access to the local host, or disable the IIOP protocol entirely if your application doesn't rely on it. Follow the official advisory for configuration details.
Official Patch
Apusic has released updated versions addressing this vulnerability. Download and install the patched version from the official site:
π https://www.apusic.com/view-477-120.html
Vulnerability Reproduction
An example of sending a malicious IIOP payload leading to code execution.
Timeline
- Mar 24, 2025 β Vulnerability registered in NVDB
- Apr 1, 2025 β Official vendor patch released
- Apr 23, 2025 β Public advisory by Chaitin Emergency Response Center
Product Support
| Product | Detection Capability |
|---|---|
| Yuntu | Supports fingerprinting & PoC detection |
| Dongjian | Will support detection in April 28 update |
| SafeLine | Not applicable (non-HTTP vulnerability) |
| Quanxi | Detection rules released |
While this is a non-HTTP vulnerability and thus not directly detectable by SafeLine, our emergency response team actively tracks such threats and provides recommendations to help you harden your stack.
Reference:
π https://www.apusic.com/view-477-120.html
Join the Community
Interested in WAFs, vulnerabilities, and open-source security tools? Click below to join the SafeLine Community Group and geek out with us!
- π GitHub Repository
- π Official Docs
- π¬ Discord Community
Top comments (1)
Thanks for the detailed disclosure, Sharon. This is a critical reminder of how dangerous insecure deserialization can beβespecially in enterprise environments. I appreciate that Chaitin not only identified the issue but also shared actionable mitigation steps and a patch timeline. For anyone using AAS in production, this should be treated as a top-priority fix. Kudos to the Chaitin team for staying ahead of real-world threats like this!