Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

ForgeRock AM Vulnerability Exploited in Attacks

Government agencies in the United States and Australia warn organizations that a vulnerability affecting ForgeRock Access Management has been exploited in the wild.

Government agencies in the United States and Australia warn organizations that a vulnerability affecting ForgeRock Access Management has been exploited in the wild.

Offered by identity and access management solutions provider ForgeRock, Access Management (AM) is designed to allow organizations to manage various types of digital identities. AM is based on the OpenAM open source solution, which ForgeRock sponsored until 2016.

The vulnerability discovered in ForgeRock AM, tracked as CVE-2021-35464 and rated critical, is a Java deserialization issue that can be exploited by an unauthenticated attacker for remote code execution by sending a specially crafted request to an exposed system.

In its advisory, ForgeRock said, “An attacker can use the code execution to extract credentials and certificates, or to gain a further foothold on the host by staging some kind of shell (such as the common implant Cobalt Strike).”

According to the vendor, AM versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 are impacted, as well as AM 5.x (no longer supported), and OpenAM versions 9.x through 13.x. AM version 7 is not affected.

The flaw was discovered by Michael Stepankin, a researcher at cybersecurity firm PortSwigger. Stepankin disclosed details of the vulnerability and shared proof-of-concept (PoC) code in late June, when ForgeRock announced the availability of a patch and workarounds.

The Australian Cyber Security Centre (ACSC) warned in an alert issued on July 7, roughly one week after a patch was released, that it had identified “a number of Australian organizations” that had been breached through the exploitation of this vulnerability.

“The ACSC has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,” the agency said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Monday, but it’s unclear whether the agency has also observed attacks or if the warning is based on the ACSC alert, which is referenced by CISA.

ForgeRock noted that an attacker can exploit the vulnerability to execute code in the context of the current user, which is why it has advised organizations to ensure that AM is running with minimal privileges.

“The ForgeRock AM deployment should also have suitable firewall, or security groups attached which do not allow traffic in or out of the server where not explicitly required,” the company said.

*updated to clarify that version 7 of AM is not affected; added more information on affected products; headline modified;

Related: SolarWinds Confirms New Zero-Day Flaw Under Attack

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.