- Description
- Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- syncope
CVSS 3.1
- Type
- Secondary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-653
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
8
Apache Syncope CVE-2025-57738 allows root RCE via unsandboxed Groovy. Technical details and PoC are now public. Upgrade to v3.0.14 or 4.0.2 immediately. #ApacheSyncope #CVE202557738 #InfoSec #CyberSecurity #RCE #PoC #Vulnerability #IdentityManagement https://t.co/AY8vsqN9aD http
@the_yellow_fall
20 Apr 2026
591 Impressions
3 Retweets
11 Likes
2 Bookmarks
0 Replies
0 Quotes
ID管理基盤Apache Syncopeのリモートコード実行(RCE)脆弱性(CVE-2025-57738)に関する公開PoC(概念実証)と技術詳細が公表された。管理者権限を悪用してサーバ全体を乗っ取れる。 SecureLayer7の報告によると、Apach
@yousukezan
20 Apr 2026
1771 Impressions
5 Retweets
10 Likes
4 Bookmarks
0 Replies
0 Quotes
『However, many Syncope deployments use default credentials (admin:password),』😩 CVE-2025-57738: Apache Syncope Groovy Injection RCE https://t.co/hmY7ZZZobw
@autumn_good_35
20 Apr 2026
457 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-57738: Apache Syncope Groovy Injection RCE https://t.co/E4XiVqWZc0
@Dinosn
20 Apr 2026
1209 Impressions
1 Retweet
6 Likes
3 Bookmarks
0 Replies
0 Quotes
Less than 1-Day: CVE-2025-57738 - Apache Syncope allows malicious administrators to inject Groovy code https://t.co/Zql4Jzc0px Advs: https://t.co/zkmfSj7gNl Another #pruva reproduction🧯 https://t.co/9mdnwkkVPb
@N3mes1s
21 Oct 2025
2189 Impressions
11 Retweets
43 Likes
18 Bookmarks
0 Replies
0 Quotes
https://t.co/80zVAlvBPb - CVE-2025-57738 | *Severity:* HIGH Bug Bounty Relevance: HIGH Apache Syncope allows remote execution of Groovy code through custom implementations. Upgrading to version 3.0.14 / 4.0.2 is recommended, but this iss (1/2)
@BugBountyShorts
20 Oct 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-57738 Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; … https://t.co/BZPmzFkVbR
@CVEnew
20 Oct 2025
298 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators https://t.co/BRz7EiT4wk A malicious administrator can inject Groovy code that can be executed remotely. New versions fix this issue by forcing the Groovy code to run in a sandbox.
@oss_security
20 Oct 2025
214 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8823A707-C1A3-4418-8DC2-CB879C8D2D8A",
"versionEndExcluding": "3.0.14",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8722F657-C2A5-49FE-B79D-2B06F030A8AF",
"versionEndExcluding": "4.0.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]