CVE-2025-66214

HighPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score 0.0025 48.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66214 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wearefrank Ladybug. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the deserialization vulnerability by requiring timely application of the vendor fix in Ladybug version 3.0-20251107.114628.

SI-10 Information Input Validation good match

prevent

Requires validation of user-controllable gzip-compressed XML uploads to reject crafted payloads before deserialization and RCE.

SI-9 Information Input Restrictions partial match

prevent

Restricts unauthorized or excessive uploads to the vulnerable /iaf/ladybug/api/report endpoints, limiting opportunities for untrusted XML submission.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables low-privileged local users (PR:L, AV:L) to achieve remote code execution via unsafe deserialization of user-controlled XML payloads, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to…

achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

Deeper analysisAI

Ladybug, a Java-based tool for adding message-based debugging, unit, system, and regression testing to applications, is affected by CVE-2025-66214 in versions prior to 3.0-20251107.114628. The vulnerability stems from the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which permit uploading gzip-compressed XML files containing user-controllable content. The system deserializes these files without sufficient validation, enabling remote code execution through crafted XML payloads (CWE-502: Deserialization of Untrusted Data).

Exploitation requires local access (AV:L), low privileges (PR:L), and high attack complexity (AC:H), with no user interaction needed (UI:N). Successful attackers can achieve remote code execution on the target server, resulting in high confidentiality impact (C:H), low integrity and availability impacts (I:L/A:L), and a changed scope (S:C), as reflected in the CVSS v3.1 base score of 7.0.

The GitHub security advisory (GHSA-f9fh-r3cv-398f) confirms the issue is resolved in Ladybug version 3.0-20251107.114628, recommending an upgrade to mitigate the deserialization flaw.