CVE-2021-35464

CVE-2021-35464 is a critical-severity vulnerability in Forgerock Access Management with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-502.

Key facts

Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

ForgeRock OpenAM / AM Server – Pre-Auth Java Deserialization RCE (CVE-2021-35464)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-35464
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3 9.8 (CRITICAL)
EPSS 0.99999
KEV Listed since 2021-11-03
CWE CWE-502 – Deserialization of Untrusted Data
Published 2021-07-22
Source NVD

Summary

ForgeRock Access Management (formerly OpenAM) contains a critical unauthenticated Java deserialization vulnerability in the legacy Sun ONE Application Framework (JATO) component. A single crafted request to the /ccversion/* endpoint can trigger remote code execution on the server without prior authentication.

Background

ForgeRock Access Management (AM) and its predecessor OpenAM are widely used identity and access management platforms that provide single sign-on, federation, and authorization services for enterprise applications. Versions of the product built on Java 8 or earlier retain the legacy JATO framework, which is the root of this vulnerability. The framework is used to manage page state via serialized Java objects passed through the jato.pageSession parameter.

Root Cause

CWE-502 – Deserialization of Untrusted Data

The JATO framework within ForgeRock AM deserializes attacker-controlled Java objects provided via the jato.pageSession parameter. The application does not validate the type or content of the serialized objects before passing them to the Java deserialization engine. This allows the injection of arbitrary serialized objects, including gadget chains that lead to remote code execution. The vulnerability exists because JATO was not designed for modern security boundaries and was discontinued by its original vendor; its presence in the Java 8-era code path continues to expose deserialization surface.

Impact

This is a Critical severity vulnerability with a CVSS v3 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  • Network Vector (AV:N) – The vulnerability is exploitable remotely over the network.
  • Low Attack Complexity (AC:L) – No special conditions are required beyond the ability to reach the target.
  • No Authentication (PR:N) – The attacker does not need any credentials or prior access.
  • No User Interaction (UI:N) – The attack is fully automated.
  • High Impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H) – Successful exploitation yields complete compromise of the server.

The EPSS score of 0.99999 with a percentile of 0.99993 indicates that exploitation in the wild is extremely probable, and the CISA KEV catalog confirms this vulnerability has been actively exploited since November 2021.

Exploitation Walkthrough

Disclaimer: This walkthrough is provided for defensive purposes only. It describes the attack surface and indicators to help defenders detect and mitigate the risk. No weaponized exploit code is provided.

  1. Reconnaissance – The attacker identifies an exposed ForgeRock AM or OpenAM instance by probing the /ccversion/* path or similar JATO endpoints.
  2. Crafting the Payload – The attacker generates a serialized Java object that contains a malicious gadget chain (commonly leveraging libraries such as Apache Commons Collections or similar classes present on the classpath).
  3. Delivery – The payload is Base64 encoded and placed into the jato.pageSession parameter in an HTTP POST request to the vulnerable endpoint.
  4. Deserialization Trigger – The server receives the request, decodes the parameter, and passes the raw bytes to the Java ObjectInputStream.readObject() method.
  5. Code Execution – The gadget chain executes during deserialization, giving the attacker a reverse shell, web shell, or direct command execution on the host.

Defensive Note: Even without knowing the exact payload, defenders can monitor for large or unusual Base64 blobs in jato.pageSession and unexpected outbound connections from the AM server.

Affected and Patched Versions

Product Affected Versions Fixed Version
ForgeRock Access Management Pre-7.0 7.0+
ForgeRock OpenAM Pre-7.0 (legacy naming) 7.0+ (AM)

ForgeRock’s official knowledge base article confirms that AM 7.0 and later are not affected.

Remediation

Immediate Actions

  1. Upgrade to ForgeRock AM 7.0 or later – This is the definitive fix.
  2. Patch/Upgrade Java – If immediate upgrading is not possible, ensure you are running a patched version of the application and Java runtime.
  3. Remove or Disable JATO Endpoints – If your deployment does not require the legacy /ccversion/* JATO pages, disable or block access to those URL patterns at the reverse proxy or web application firewall level.

Compensating Controls

  • Web Application Firewall (WAF) – Deploy rules that inspect the jato.pageSession parameter for unusually large Base64 strings and block requests containing suspicious serialized objects.
  • Network Segmentation – Restrict access to the AM admin and internal endpoints to trusted management networks only.
  • Runtime Application Self-Protection (RASP) – Use a RASP or Java agent that can detect and block deserialization of untrusted classes.
  • JEP 290 / JEP 415 – If supported by your Java runtime, enable the deserialization filter (ObjectInputFilter) to block known gadget classes.

Detection

Source Indicator
Web Logs POST requests to /ccversion/* with a large jato.pageSession parameter
Network Unexpected outbound connections from the AM server process
Process Child processes spawned by the AM application server
Files New JSP files, web shells, or modified configuration files in the AM deployment directory
CISA KEV CVE-2021-35464 is listed; prioritize this detection rule

Consider creating a detection rule in your SIEM for any HTTP request containing jato.pageSession that exceeds a normal length threshold (e.g., > 500 bytes).

Assessment

With an EPSS of 0.99999 and a confirmed KEV listing, this vulnerability is one of the highest-probability exploitation targets in enterprise environments. Attackers routinely scan for exposed OpenAM/AM servers because the vulnerability is unauthenticated and trivial to weaponize.

Lessons:

  1. Legacy frameworks carry hidden risk. Discontinued or deprecated components such as JATO can reintroduce critical vulnerabilities years after their end-of-life.
  2. Pre-authentication RCE is a worst-case scenario. The combination of network access, no credentials, and low complexity means that exploitation is inevitable for any internet-facing instance without rapid patching or strong compensating controls.

References

Frequently asked questions

What is CVE-2021-35464?
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
How severe is CVE-2021-35464?
CVE-2021-35464 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-35464 being actively exploited?
Yes. CVE-2021-35464 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-35464?
CVE-2021-35464 primarily affects Forgerock Access Management. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-35464?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-35464 have an EU (EUVD) identifier?
Yes. CVE-2021-35464 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-22106. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-35464 published?
CVE-2021-35464 was published on 2021-07-22 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Forgerock Access Management

All CVEs affecting Forgerock Access Management →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →