PT-2025-42765 · Apache · Apache Syncope
Mike Cole
·
Published
2025-08-28
·
Updated
2026-04-20
·
CVE-2025-57738
CVSS v2.0
9.0
High
| AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Syncope versions 3.0.0 through 3.0.13
Apache Syncope versions 4.0.0 through 4.0.1
Description
Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. The software offers the ability to extend its base behavior through custom Java or Groovy interface implementations, with Groovy being attractive due to its runtime reload capability. This feature can be exploited to inject and execute malicious code.
Recommendations
Upgrade to Apache Syncope version 3.0.14
Upgrade to Apache Syncope version 4.0.2
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Syncope