CVE-2025-53606

CriticalRCE

Published: 08 August 2025

Published

08 August 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53606 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Seata. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like this deserialization vulnerability through patching or upgrading to Seata 2.5.0.

SI-10 Information Input Validation good match

prevent

Mandates validation of untrusted inputs from external sources using defined mechanisms to block malicious serialized data from being deserialized.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Provides integrity monitoring of software and firmware to detect unauthorized changes resulting from arbitrary code execution triggered by deserialization.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated deserialization RCE in public-facing Apache Seata service directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.

Deeper analysisAI

CVE-2025-53606 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Apache Seata (incubating) version 2.4.0. Published on 2025-08-08, it carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). A remote unauthenticated attacker can thus trigger deserialization of untrusted data, potentially achieving arbitrary code execution and full system compromise with high impacts on confidentiality, integrity, and availability.

Apache advisories recommend upgrading to version 2.5.0, which fixes the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/ggfd72vvvxjozs81zbcls45zxg64pphx and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/08/07/1.

Details

CWE(s): CWE-502

Affected Products

apache

seata

2.4.0

CVEs Like This One

CVE-2024-47552Same product: Apache Seata

CVE-2025-61622Same vendor: Apache

CVE-2024-52577Same vendor: Apache

CVE-2026-41635Same vendor: Apache

CVE-2024-54676Same vendor: Apache

CVE-2026-40473Same vendor: Apache

CVE-2026-42779Same vendor: Apache

CVE-2026-25747Same vendor: Apache

CVE-2026-40860Same vendor: Apache

CVE-2024-56180Same vendor: Apache

References

https://lists.apache.org/thread/ggfd72vvvxjozs81zbcls45zxg64pphx
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/08/07/1
af854a3a-2127-422b-91ae-364da2661108