An authenticated remote code execution vulnerability in the GlassFish Administration Console allows an attacker with panel access to execute arbitrary operating system commands.

The Administration Console fails to properly sanitize requests, allowing an authenticated user to perform arbitrary command execution with the privileges of the application service user.

With a CVSS score of 9.1, this flaw poses a severe risk to internal security, as it allows a compromised or malicious administrative account to escalate privileges to the OS level. This could result in unauthorized data access or the complete takeover of the application server.

Immediate Action: Update GlassFish to the latest patched version and audit current administrative accounts for unauthorized activity.

Proactive Monitoring: Review logs for command execution attempts within the Administration Console and limit access to the console to trusted IP addresses only.

Compensating Controls: Implement Multi-Factor Authentication (MFA) for all administrative access and utilize the principle of least privilege for service accounts.

Public Exploit Available: false

While this vulnerability requires authentication, the impact is severe. Organizations should immediately review who has access to the GlassFish Administration Console and apply the vendor's security patches to prevent potential privilege escalation.