SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Found in Apache Roller Blog Server

A critical vulnerability in Apache Roller could be used to maintain persistent access by reusing older sessions even after password changes.
Apache Roller vulnerability

A critical vulnerability in Apache Roller could allow attackers to abuse previous sessions to maintain persistent access even after password changes.

An open source, Java-based blog server, Roller includes a content management system, multi-user support with three permission levels, integrated search, and support for templates and themes.

Last week, Apache warned that Roller version 6.1.5 was released with patches for a critical-severity bug in the software’s session management functionality that resulted in active user sessions not being properly invalidated.

Tracked as CVE-2025-24859 (CVSS score of 10/10), the issue resulted in existing sessions remaining active even after the users changed their passwords. These sessions, Apache warned, could be used to maintain persistent access to the server.

“This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised,” Apache explains.

All Roller versions up to and including 6.1.4 are affected by the security defect. Roller version 6.1.5 comes with a centralized session management improvement to properly invalidate all active sessions upon password changes or when a user account is disabled.

According to the release notes, the latest Roller iteration implements RollerLoginSessionManager for better session tracking and improves cache handling for user sessions.

This is the second critical-severity vulnerability with a maximum severity rating that Apache has resolved over the past two weeks, after patching CVE-2025-30065 in Apache Parquet.

Advertisement. Scroll to continue reading.

Described as the deserialization of untrusted data in the parquet-avro module, the Parquet bug could be exploited remotely for arbitrary code execution, potentially leading to complete system takeover.

Related: Exploit Code for Apache Tomcat RCE Vulnerability Published on Chinese Forum

Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days

Related: Vulnerabilities Patched by Ivanti, VMware, Zoom

Related: Exploitation of Recent Critical Apache Struts 2 Flaw Begins

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.