Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

ForgeRock AM Vulnerability Exploited in Attacks

Government agencies in the United States and Australia warn organizations that a vulnerability affecting ForgeRock Access Management has been exploited in the wild.

Government agencies in the United States and Australia warn organizations that a vulnerability affecting ForgeRock Access Management has been exploited in the wild.

Offered by identity and access management solutions provider ForgeRock, Access Management (AM) is designed to allow organizations to manage various types of digital identities. AM is based on the OpenAM open source solution, which ForgeRock sponsored until 2016.

The vulnerability discovered in ForgeRock AM, tracked as CVE-2021-35464 and rated critical, is a Java deserialization issue that can be exploited by an unauthenticated attacker for remote code execution by sending a specially crafted request to an exposed system.

In its advisory, ForgeRock said, “An attacker can use the code execution to extract credentials and certificates, or to gain a further foothold on the host by staging some kind of shell (such as the common implant Cobalt Strike).”

According to the vendor, AM versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 are impacted, as well as AM 5.x (no longer supported), and OpenAM versions 9.x through 13.x. AM version 7 is not affected.

The flaw was discovered by Michael Stepankin, a researcher at cybersecurity firm PortSwigger. Stepankin disclosed details of the vulnerability and shared proof-of-concept (PoC) code in late June, when ForgeRock announced the availability of a patch and workarounds.

The Australian Cyber Security Centre (ACSC) warned in an alert issued on July 7, roughly one week after a patch was released, that it had identified “a number of Australian organizations” that had been breached through the exploitation of this vulnerability.

“The ACSC has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,” the agency said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Monday, but it’s unclear whether the agency has also observed attacks or if the warning is based on the ACSC alert, which is referenced by CISA.

ForgeRock noted that an attacker can exploit the vulnerability to execute code in the context of the current user, which is why it has advised organizations to ensure that AM is running with minimal privileges.

“The ForgeRock AM deployment should also have suitable firewall, or security groups attached which do not allow traffic in or out of the server where not explicitly required,” the company said.

*updated to clarify that version 7 of AM is not affected; added more information on affected products; headline modified;

Related: SolarWinds Confirms New Zero-Day Flaw Under Attack

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.