Is EEM affected by CVE-2025-68161 vulnerability?

Embedded Entitlements Manager (EEM) 12.6/12.7

It has been determined that EEM is not affected by this vulnerability based on the following:

API Usage: EEM doesn't utilize the Log4j SocketAppender API within the source code.
Programmatic Configuration: There is no programmatic implementation of the SocketAppender configuration within the environment.
Runtime Configuration: EEM has no Log4j configuration that references the log4j SocketAppender functionality at runtime.

Note: The .jar files located under EmbeddedEntitlementsManager folder (default location: C:\Program Files\CA\SC\EmbeddedEntitlementsManager) can't be deleted. Deleting files from the EEM folder will impact the normal EEM operations.

CVE-2025-68161 Detail

The EEM Engineering team is planning to release EEM 12.7.3 that contains the latest version of log4j in the first week of June 2026(subject to change) after validation from the embedding products (like Service Management), which might take some more time.