Vulnerability Description: Improper Access Control – CWE-284
Software Version: 34.0.0.Beta
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-23367
CVSS:
Severity:
Credits: Claudia Bartolini, Marco Ventura, Massimiliano Brolli
The product WildFly 34.0.0.Beta does not restrict or incorrectly restricts access to a resource from an unauthorized actor. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
Step-by-step instructions and PoC
A remote user, authenticated to the Management Console, can suspend and restore server in the Standalone Server Runtime page. Successfully exploitation of this vulnerability can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.
Affected Endpoints
· URL: http://[IP]:[PORT]/console/index.html#runtime;path=standalone-server-column~standalone-host-[HOSTNAME]
· Vulnerable Configuration Parameter: Suspend State
Below the evidence with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
bwAAAAMAD3N1c3BlbmQtdGltZW91dEkAAAAeAAlvcGVyYXRpb25zAAdzdXNwZW5kAAdhZGRyZXNzbAAAAAA=
As a first step, the attacker, in this case an ordinary “auditor” user, must be logged in the Management Console and has to enter the Runtime session. As you can see in the following image, the “Suspended State” is RUNNING:
