CVE-2025-15579 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or
privilege escalation.

This issue affects Directory Services: from 10.5 through 26.1.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1

History

Wed, 18 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation. This issue affects Directory Services: from 10.5 through 26.1.
Title		An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services.
Weaknesses		CWE-502
References		https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1
Metrics		cvssV4_0 `{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Red'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: OpenText

Published: 2026-02-18T14:57:04.010Z

Updated: 2026-02-18T18:20:06.518Z

Reserved: 2026-02-17T15:58:22.563Z

Link: CVE-2025-15579

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-18T16:22:28.290

Modified: 2026-02-18T17:51:53.510

Link: CVE-2025-15579

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15579", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2026-02-17T15:58:22.563Z", "datePublished": "2026-02-18T14:57:04.010Z", "dateUpdated": "2026-02-18T18:20:06.518Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Directory Services", "vendor": "OpenText\u2122", "versions": [{"lessThanOrEqual": "26.1", "status": "affected", "version": "10.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dylan Pindur - Assetnote"}, {"lang": "en", "type": "finder", "value": "Adam Kues - Assetnote"}, {"lang": "en", "type": "finder", "value": "Tomais Williamson - Assetnote"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in OpenText\u2122 Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or\nprivilege escalation.\n\n<p>This issue affects Directory Services: from 10.5 through 26.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in OpenText\u2122 Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or\nprivilege escalation.\n\nThis issue affects Directory Services: from 10.5 through 26.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.5, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2026-02-18T14:57:04.010Z"}, "references": [{"url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1\">https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1</a>\n\n<br>"}], "value": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1"}], "source": {"discovery": "UNKNOWN"}, "title": "An Insecure Deserialization vulnerability has been discovered in OpenText\u2122 Directory Services.", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T18:19:55.256380Z", "id": "CVE-2025-15579", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T18:20:06.518Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in OpenText\u2122 Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or\nprivilege escalation.\n\nThis issue affects Directory Services: from 10.5 through 26.1."}], "id": "CVE-2025-15579", "lastModified": "2026-02-18T17:51:53.510", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2026-02-18T16:22:28.290", "references": [{"source": "security@opentext.com", "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@opentext.com", "type": "Primary"}]}