Apereo CAS Groovy Code RegisteredServiceSimpleFormController.java saveService code injection
Description
A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apereo CAS 5.2.6 is vulnerable to remote code injection in the Groovy Code Handler via the saveService function, with a publicly available exploit.
Vulnerability
Overview
CVE-2025-3984 is a critical code injection vulnerability affecting Apereo CAS version 5.2.6. The flaw resides in the saveService function of the RegisteredServiceSimpleFormController.java file within the Groovy Code Handler component [1]. The root cause allows an attacker to inject and execute arbitrary code through manipulation of this service-saving endpoint [1].
Exploitation
Details
The attack is remotely exploitable but requires high complexity, making exploitation difficult in practice [1]. According to the official description, the attack can be launched over the network, though specific prerequisites such as authentication requirements or necessary privileges were not detailed [1]. A proof-of-concept exploit has been publicly disclosed, increasing the risk that threat actors may incorporate it into their operations [1].
Impact
Successful exploitation could lead to full remote code execution within the context of the CAS server. This could allow an attacker to compromise the underlying system, access sensitive user data, bypass authentication, or pivot to internal networks [1]. Given that CAS is used as a central identity provider (Single Sign-On), such a breach could have widespread consequences for affected organizations [2].
Mitigation
Status
The vendor, Apereo, was contacted about the vulnerability but did not respond, and no official patch or advisory has been released as of the publication date [1]. Organizations running Apereo CAS 5.2.6 should consider isolating the affected instance, applying strict network access controls, and monitoring for exploitation attempts. Users are strongly urged to upgrade to a supported, patched version of CAS (such as a later release) as soon as possible, or implement a Web Application Firewall (WAF) rule to block malicious payloads targeting the saveService endpoint [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apereo.cas:cas-management-webapp-supportMaven | <= 5.2.6 | — |
Affected products
2- Apereo/CASv5Range: 5.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- wx.mail.qq.com/sghsaexploitWEB
- github.com/advisories/GHSA-37pq-893f-g7q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3984ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.