A critical remote code execution vulnerability, identified as CVE-2025-70974, exists in older versions of the Fastjson library. This flaw allows an unauthenticated attacker to take complete control of an affected server by sending a specially crafted data request, potentially leading to data theft, service disruption, and further network compromise. Due to its critical severity and history of active exploitation, immediate remediation is strongly advised.

This vulnerability is an insecure deserialization flaw rooted in Fastjson's "autoType" feature. When autoType is enabled, an attacker can submit a malicious JSON payload containing an @type key. This key specifies the name of a Java class on the server's classpath that Fastjson will then instantiate.

This vulnerability is rated as critical severity with a CVSS score of 10.0, reflecting the highest possible risk. Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the permissions of the application server. This can lead to a complete system compromise, enabling the attacker to steal sensitive corporate or customer data, install ransomware, deploy cryptocurrency miners, or use the compromised server as a pivot point to attack other systems within the internal network. The potential consequences include severe financial loss, significant reputational damage, and potential regulatory fines.

Immediate Action: The primary remediation is to upgrade the Fastjson library in all affected applications to version 1.2.48 or a later, secure version. After patching, administrators must monitor for any ongoing exploitation attempts by reviewing application, web server, and system access logs for suspicious JSON payloads or unusual outbound network activity.

Proactive Monitoring:

• Log Analysis: Scrutinize application and web server logs for inbound JSON requests containing the @type keyword followed by suspicious class names (e.g., com.sun.rowset.JdbcRowSetImpl, org.apache.xbean.propertyeditor.JndiConverter).
• Network Traffic Analysis: Monitor for unusual outbound connections from application servers, particularly over ports associated with JNDI protocols like LDAP (389, 1389) and RMI (1099).
• Endpoint Detection: Monitor for unexpected child processes being spawned by the Java application process (e.g., sh, bash, cmd.exe, powershell.exe).

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Disable autoType: Explicitly disable the autoType feature in the Fastjson configuration. This is the most effective compensating control.
• Web Application Firewall (WAF): Implement WAF rules to inspect and block JSON payloads containing known malicious patterns associated with this exploit.
• Egress Filtering: Restrict outbound network connections from application servers to only known and trusted destinations, blocking protocols like LDAP and RMI to the public internet.

Public Exploit Available: true

Given the critical CVSS score of 10.0 and confirmed long-term exploitation by threat actors, this vulnerability represents an extreme and immediate threat. All organizations must prioritize identifying and patching affected applications by upgrading the Fastjson library to version 1.2.48 or later without delay. While this CVE is not yet on the CISA KEV list as of its publication, its exploit history makes it a prime candidate for future inclusion. Due to the pre-disclosure exploitation, organizations should assume compromise and initiate incident response procedures, including hunting for indicators of compromise described in the Proactive Monitoring section.