CVE-2025-10363
Published: 06 October 2025
Summary
CVE-2025-10363 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Topal Solutions AG (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-10363 is a deserialization of untrusted data vulnerability, assigned CWE-502, that permits remote code execution. It affects Topal Solutions AG Topal Finanzbuchhaltung running on Windows, with the issue confirmed in version 10.1.5.20 and addressed in the 11.2.12.00 release.
Unauthenticated remote attackers can supply malicious serialized data over the network to trigger arbitrary code execution on the target system, achieving full compromise of confidentiality, integrity, and availability without any user interaction or credentials.
The vendor's release notes for version 11.2.12.00 document the fix, while the accompanying advisory from InfoGuard Labs details the unauthenticated remote code execution path and recommends immediate upgrade from affected releases. The associated EPSS score remains low and unchanged at 0.0191 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32161
Vulnerability details
Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This issue affects at least Topal Finanzbuchhaltung: 10.1.5.20 and is fixed in version 11.2.12.00
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.