Unrated severityCISA KEVNVD Advisory· Published Jul 22, 2021· Updated Oct 21, 2025

CVE-2021-35464

Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Affected products

ForgeRock/AM serverdescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.htmlmitrex_refsource_MISC
packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.htmlmitrex_refsource_MISC
backstage.forgerock.com/knowledge/kb/article/a47894244mitrex_refsource_CONFIRM
bugster.forgerock.orgmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.076
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060