Is CVE-2021-25641 known to be exploited?

24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Dubbo

CVE-2021-25641

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by ta…

EPSS: 0.746 (98.9th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Dubbo — versions Apache Dubbo 2.7.x, Apache Dubbo 2.6.x

Public proof-of-concept exploits

Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept
l0n3rs/CVE-2021-25641
ARPSyndicate/cvemon
AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
Armandhe-China/ApacheDubboSerialVuln
BrittanyKuhn/javascript-tutorial
GrrrDog/Java-Deserialization-Cheat-Sheet
NaInSec/CVE-PoC-in-GitHub
SYRTI/POC_
WhooAmii/POC_

References

lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84… (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-25641?: CVE-2021-25641 is a vulnerability in Apache Software Foundation Dubbo. Published 2021-05-29.
Is CVE-2021-25641 known to be exploited?: 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.