A critical remote code execution vulnerability in the GlassFish server allows unauthenticated attackers to gain full control of the underlying host system.

The application improperly sanitizes user-supplied values during template rendering, enabling Expression Language (EL) injection. This allows an unauthenticated attacker to execute arbitrary OS commands on the host server.

This vulnerability carries a CVSS score of 9.6, indicating a catastrophic potential for business operations. Successful exploitation results in complete system compromise, enabling data exfiltration, persistence, and lateral movement within the network, which could lead to a total loss of confidentiality and integrity.

Immediate Action: Apply the latest security patches provided by the vendor to remediate the template rendering mechanism.

Proactive Monitoring: Monitor server logs for suspicious XML input patterns and expressions (e.g., #{...}) that deviate from standard operational traffic.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block malicious EL injection patterns in incoming requests.

Public Exploit Available: false

Given the potential for full system compromise, this vulnerability requires immediate attention. Security teams must ensure that all GlassFish instances are patched and that input validation controls are reviewed and strengthened to prevent further injection attempts.