CVE-2025-5326 Overview
CVE-2025-5326 is an insecure deserialization vulnerability in Zhilink ADP Application Developer Platform (应用开发者平台) version 1.0.0. The flaw resides in unknown functionality of the /adpweb/wechat/verifyToken/ endpoint, where untrusted input is deserialized without sufficient validation. Attackers can trigger the vulnerability remotely over the network with low privileges. The exploit has been publicly disclosed, and the vendor did not respond to early disclosure attempts. The weaknesses involved are tracked as Improper Input Validation [CWE-20] and Deserialization of Untrusted Data [CWE-502].
Critical Impact
Remote attackers can submit crafted serialized payloads to /adpweb/wechat/verifyToken/, leading to deserialization-driven compromise of confidentiality, integrity, and availability of the application.
Affected Products
- Zhilink ADP Application Developer Platform 1.0.0
- Component: zhilink:adp_application_developer_platform
- Vulnerable endpoint: /adpweb/wechat/verifyToken/
Discovery Timeline
- 2025-05-29 - CVE-2025-5326 published to NVD
- 2025-10-03 - Last updated in NVD database
Technical Details for CVE-2025-5326
Vulnerability Analysis
The vulnerability is an insecure deserialization issue exposed through the /adpweb/wechat/verifyToken/ HTTP endpoint of the ADP Application Developer Platform. The endpoint accepts attacker-controlled data and reconstructs objects from it without validating type, structure, or origin. When an application deserializes attacker-controlled bytes, gadget chains present in the runtime classpath can be invoked during object reconstruction, enabling arbitrary behavior tied to those gadgets.
The vendor was contacted prior to public disclosure but did not respond. No official patch or vendor advisory is referenced in NVD. The associated weaknesses are Improper Input Validation [CWE-20] and Deserialization of Untrusted Data [CWE-502], a combination typically associated with remote code execution and authentication bypass when reachable gadget chains exist.
Root Cause
The root cause is the application's acceptance and deserialization of untrusted input on the verifyToken endpoint without filtering, signing, or type-restricting the serialized payload. Because there is no allowlist of permitted classes and no integrity check on the incoming token, an attacker can substitute the expected object graph with a hostile one.
Attack Vector
The attack vector is network-based and remote. An authenticated user with low privileges submits a crafted serialized object to /adpweb/wechat/verifyToken/. The server invokes the deserialization routine, instantiating attacker-chosen classes and triggering side effects such as command execution, file access, or application-state tampering. No user interaction is required, and the attack complexity is low.
No verified proof-of-concept code is published in the referenced sources. Technical details for the submission are tracked under VulDB CTI #310496 and VulDB Submission #581277.
Detection Methods for CVE-2025-5326
Indicators of Compromise
- HTTP POST or GET requests to /adpweb/wechat/verifyToken/ containing base64-encoded or binary serialized payloads.
- Unexpected child processes spawned by the ADP web application process shortly after requests to the verifyToken endpoint.
- Outbound connections from the ADP server to unfamiliar hosts immediately following verifyToken traffic.
- Java or runtime stack traces in application logs referencing deserialization classes (ObjectInputStream, readObject, common gadget libraries).
Detection Strategies
- Inspect web server and application logs for requests to /adpweb/wechat/verifyToken/ with non-standard content types or unusually large bodies.
- Apply web application firewall signatures that detect Java/Python/PHP serialization magic bytes (ac ed 00 05, O:, rO0) in request bodies.
- Correlate authenticated session activity with process-creation telemetry on the ADP host to surface deserialization-triggered code execution.
Monitoring Recommendations
- Forward ADP application and access logs to a central analytics platform and alert on repeated verifyToken requests from a single source.
- Monitor the ADP service account for new outbound network connections, file writes outside the application directory, and shell process creation.
- Track changes to application configuration and scheduled tasks on hosts running ADP 1.0.0.
How to Mitigate CVE-2025-5326
Immediate Actions Required
- Restrict network access to /adpweb/wechat/verifyToken/ to trusted internal sources using firewall or reverse-proxy rules.
- Require strong authentication on all ADP endpoints and revoke low-privilege accounts that do not need access to the platform.
- Increase logging verbosity on the ADP web tier and review historical access to the verifyToken endpoint for anomalous payloads.
Patch Information
No vendor patch is referenced in NVD for CVE-2025-5326. The vendor did not respond to the disclosure attempt. Organizations running Zhilink ADP Application Developer Platform 1.0.0 should monitor VulDB #310496 for updates and contact the vendor directly for remediation guidance.
Workarounds
- Block external access to /adpweb/wechat/verifyToken/ at the network edge until a fix is available.
- Place a reverse proxy or WAF in front of ADP and drop requests whose bodies contain Java serialization headers (ac ed 00 05) or other serialization markers.
- If the verifyToken functionality is not required, disable the underlying handler or remove the route mapping in the application configuration.
- Run the ADP service under a low-privilege account with restricted filesystem and outbound network permissions to limit post-exploitation impact.
# Example nginx rule to block serialized Java payloads to the vulnerable endpoint
location /adpweb/wechat/verifyToken/ {
if ($request_body ~* "rO0AB|\\xac\\xed\\x00\\x05") {
return 403;
}
allow 10.0.0.0/8;
deny all;
proxy_pass http://adp_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

