HOMEVULNERABILITIESCVE-2023-25194
UNKNOWNCISA KEVIN THE WILD

CVE-2023-25194

Published: April 11, 2026

Official Description

A possible security vulnerability has been identified in Apache Kafka Connect API.

This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config

and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.

When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`

property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the

`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.

This will allow the server to connect to the attacker's LDAP server

and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.

Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box

configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector

client override policy that permits them.

Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage

in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka Connect 3.4.0.

We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for

vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,

in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector

client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.

NVD Source

Technical Analysis

CVE-2023-25194 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2023-25194 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Affected Vendors & Products

Mentioned vendors (from description):
ApacheJava
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

Quick Facts

CVE IDCVE-2023-25194
Severity
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
PublishedApr 11, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2023-25194 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.