Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63617

CVE-2025-63617: Kutangguo Ktg-mes RCE Vulnerability

CVE-2025-63617 is a fastjson deserialization RCE flaw in Kutangguo Ktg-mes that allows attackers to execute arbitrary code. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-63617 Overview

CVE-2025-63617 is an insecure deserialization vulnerability affecting ktg-mes, a manufacturing execution system developed by kutangguo. The application bundles a vulnerable version of the fastjson library and deserializes untrusted input data without adequate validation. Attackers can craft malicious JSON payloads that trigger unsafe object instantiation during deserialization. The flaw is categorized under [CWE-502] Deserialization of Untrusted Data. It affects all ktg-mes versions prior to commit a484f96 released on 2025-07-03. The vulnerability is exploitable over the network without authentication or user interaction.

Critical Impact

Remote attackers can exploit fastjson deserialization in ktg-mes to compromise application confidentiality and integrity through crafted JSON payloads sent to network-exposed endpoints.

Affected Products

  • kutangguo ktg-mes versions before commit a484f96 (2025-07-03)
  • All deployments using the bundled vulnerable fastjson library version
  • Manufacturing Execution System instances exposing JSON parsing endpoints

Discovery Timeline

  • 2025-11-10 - CVE-2025-63617 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-63617

Vulnerability Analysis

The vulnerability resides in how ktg-mes processes JSON input using the fastjson library. fastjson supports polymorphic deserialization through the @type field, which instructs the parser to instantiate arbitrary Java classes from serialized input. When the library version is vulnerable and input is not restricted through an allowlist of safe classes, attackers can specify gadget classes that trigger dangerous side effects during construction or property assignment. The ktg-mes application accepts untrusted JSON on network-reachable endpoints without validating type information. This exposes the application to remote deserialization abuse over standard HTTP channels.

Root Cause

The root cause is the use of an outdated fastjson version combined with unsafe deserialization of attacker-controlled data. Legacy fastjson releases include AutoType handling that resolves class names from JSON payloads at runtime. Without an enforced safeMode or strict allowlist, the parser instantiates any resolvable class present on the classpath.

Attack Vector

Attackers deliver crafted JSON payloads to any ktg-mes HTTP endpoint that forwards request bodies to a vulnerable fastjson parser. The payload embeds an @type directive referencing a known gadget class available in the application classpath. During parsing, the library instantiates the referenced class and invokes setters, triggering the malicious side effect chain. See the GitHub Documentation and the GitHub Gist Resource for technical details.

// No verified proof-of-concept code is published in the referenced advisories.
// Refer to the linked GitHub resources for technical write-up details.

Detection Methods for CVE-2025-63617

Indicators of Compromise

  • HTTP request bodies containing the @type JSON field targeting ktg-mes endpoints
  • Unexpected outbound network connections initiated by the ktg-mes Java process
  • Java stack traces referencing com.alibaba.fastjson.parser in application logs following anomalous requests
  • Spawning of child processes such as sh, bash, or cmd.exe from the ktg-mes service account

Detection Strategies

  • Inspect web application logs for JSON payloads containing @type, $ref, or references to known fastjson gadget classes such as com.sun.rowset.JdbcRowSetImpl or TemplatesImpl
  • Apply web application firewall rules that flag polymorphic type hints in JSON request bodies to ktg-mes URIs
  • Correlate deserialization exceptions in application logs with source IP addresses to identify probing activity
  • Monitor JVM behavior for unexpected class loading events from network-triggered code paths

Monitoring Recommendations

  • Enable verbose logging for the fastjson parser to capture attempted AutoType resolution requests
  • Ingest ktg-mes application and access logs into a centralized analytics platform for retroactive hunting
  • Track process ancestry for the ktg-mes Java service and alert on non-standard child processes
  • Baseline outbound network destinations from the application host and alert on new destinations

How to Mitigate CVE-2025-63617

Immediate Actions Required

  • Upgrade ktg-mes to a build that includes commit a484f96 or later
  • Restrict network access to ktg-mes administrative and API endpoints using firewall rules or reverse proxy allowlists
  • Audit application logs for prior exploitation attempts containing @type directives
  • Rotate credentials and secrets accessible to the ktg-mes service account if compromise is suspected

Patch Information

The vendor addressed the vulnerability in commit a484f96 dated 2025-07-03. Operators must pull the fixed source tree and rebuild deployments. Confirm the resolved fastjson dependency version matches a release that disables AutoType by default or enforces safeMode.

Workarounds

  • Disable fastjsonAutoType support by setting ParserConfig.getGlobalInstance().setAutoTypeSupport(false) where the parser is initialized
  • Enable fastjsonsafeMode through the -Dfastjson.parser.safeMode=true JVM flag to reject all @type directives
  • Deploy a reverse proxy rule that blocks HTTP requests containing the @type substring targeting ktg-mes API paths
  • Isolate ktg-mes in a segmented network zone until patched builds are deployed
bash
# Enable fastjson safeMode via JVM flag
java -Dfastjson.parser.safeMode=true -jar ktg-mes.jar

# Verify installed commit after upgrade
cd /opt/ktg-mes && git log --oneline | grep a484f96

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.