PatchSiren cyber security CVE debrief
CVE-2025-2566 Kaleris CVE debrief
CVE-2025-2566 is a critical remote code execution issue in Kaleris Navis N4 ULC (Ultra Light Client). According to the CISA CSAF advisory published on 2025-06-24, an unauthenticated attacker can send specially crafted requests that trigger unsafe Java deserialization and execute arbitrary code on the server. The affected product scope in the advisory is Kaleris Navis N4 versions below 4.0, with vendor fixes listed for multiple maintained release lines and a migration path to N4 4.0 where the Ultra Light Client has been replaced with the HTML UI.
- Vendor
- Kaleris
- Product
- Navis N4
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-24
- Original CVE updated
- 2025-06-24
- Advisory published
- 2025-06-24
- Advisory updated
- 2025-06-24
Who should care
Kaleris Navis N4 administrators, OT/terminal operations teams, and security owners responsible for systems that expose the Ultra Light Client or related N4 services to untrusted networks, especially internet-facing deployments.
Technical summary
The advisory describes an unsafe Java deserialization weakness in NAVIS N4 ULC. The attack does not require authentication, and the outcome can be arbitrary code execution on the server if a crafted request reaches the vulnerable component. The CSAF lists affected products as Kaleris Navis N4 <4.0 and provides fixed versions for supported branches: 3.1.44+, 3.2.26+, 3.3.27+, 3.4.25+, 3.5.18+, 3.6.14+, 3.7.0+, and 3.8.0+. It also notes N4 4.0 as a longer-term option because the Ultra Light Client is replaced with the HTML UI.
Defensive priority
Immediate
Recommended defensive actions
- Upgrade to a fixed Navis N4 release for your branch: 3.1.44+, 3.2.26+, 3.3.27+, 3.4.25+, 3.5.18+, 3.6.14+, 3.7.0+, or 3.8.0+, or move to N4 4.0.
- If N4 does not need to be internet-facing, place it behind a firewall and remove external exposure.
- If CAP must remain exposed, disable the Ultra Light Client on exposed nodes by blocking the ULC URL patterns at the load balancer or firewall, or by disabling the endpoint in web.xml and restarting the server.
- Prefer a secure VPN, authenticated jump host, or VDI access path for any required external users rather than direct public exposure.
- Limit the number of internet-exposed N4 nodes, ensure HTTPS/TLS is correctly configured on the load balancer, and use perimeter protections with DDoS detection.
- Verify that the vendor guidance has been applied across all affected environments and coordinate with [email protected] if you need clarification or support.
Evidence notes
The supplied CISA CSAF advisory (ICSA-25-175-01) published on 2025-06-24 states that Kaleris NAVIS N4 ULC contains an unsafe Java deserialization vulnerability and that an unauthenticated attacker can execute arbitrary code on the server via specially crafted requests. The advisory’s affected product entry is Kaleris Navis N4: <4.0. Remediation entries list version-specific fixes for supported branches and defensive mitigations for reducing or removing ULC exposure. The supplied dates for publication and modification are both 2025-06-24T06:00:00Z, which should be treated as the issue timing context.
Official resources
-
CVE-2025-2566 CVE record
CVE.org
-
CVE-2025-2566 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the initial CSAF advisory and CVE record on 2025-06-24. The supplied data does not indicate KEV listing or known ransomware campaign use.