CVE-2025-23367

Name: CVE-2025-23367
Creator: NVD / NIST
Published: 2025-01-30T15:15:18.61+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.62%

Last modified Jun 17, 2026

CVE-2025-23367 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. EPSS estimates a 0.62% chance of exploitation in the next 30 days.

Description

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.62%

45.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-284

Affected Software

Vendor	Product	Versions	Update
Redhat	Jboss Enterprise Application Platform	>= 7.4, < 7.4.21	—
Redhat	Jboss Enterprise Application Platform	>= 8.0.0, < 8.0.7	—
Redhat	Wildfly	< 27.0.1	—
Redhat	Wildfly	28.0.0	Beta1

References

https://access.redhat.com/errata/RHSA-2025:3465
https://access.redhat.com/errata/RHSA-2025:3467Issue Tracking
https://access.redhat.com/errata/RHSA-2025:3989Issue Tracking
https://access.redhat.com/errata/RHSA-2025:3990
https://access.redhat.com/errata/RHSA-2025:3992
https://access.redhat.com/security/cve/CVE-2025-23367Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2337620Vendor Advisory
https://github.com/advisories/GHSA-qr6x-62gq-4ccpThird Party Advisory

Timeline

Published: Jan 30, 2025
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2025-23367?

How severe is CVE-2025-23367?

CVE-2025-23367 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.62% probability of exploitation in the next 30 days.

How do I fix CVE-2025-23367?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-23367?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST