CVE-2026-36501: Controller 12.0.5 Denial of Service via Unsafe Deserialization
Controller version 12.0.5 contains a vulnerability in how it processes serialized Java objects. An attacker can send a specially crafted input to the application's deserialization handler, causing it to crash or become unresponsive. This is a denial-of-service vulnerability that requires network access but no authentication or user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36501 is a denial-of-service vulnerability in the Externalizable.readExternal() method of Controller v12.0.5. The flaw stems from improper input validation (CWE-20) during deserialization of externalized Java objects. An unauthenticated, remote attacker can exploit this by sending a malicious serialized payload that causes the application to exhaust resources or crash. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects that the attack is network-accessible with low complexity, requires no privileges or user interaction, and impacts availability only.
Business impact
Service unavailability resulting from a DoS attack can disrupt business operations that depend on Controller. Affected organizations may experience downtime affecting workflows, customer-facing services, or internal processes. Recovery requires either restarting the affected component or deploying a patched version. The impact is limited to availability; confidentiality and integrity are not compromised.
Affected systems
Controller version 12.0.5 is confirmed vulnerable. Organizations running this version in network-accessible configurations should prioritize assessment and patching. The vulnerability applies only to the specific version indicated; verify your deployment version against your asset inventory.
Exploitability
Exploitation is straightforward from a technical perspective: an attacker needs only network connectivity to the vulnerable service and the ability to send a crafted serialized object. No authentication, special privileges, or user interaction is required. The attack can be automated and executed at scale, making it a practical threat for internet-facing deployments.
Remediation
Upgrade Controller to a patched version released by the vendor. Consult the vendor advisory for the specific patched version number and deployment instructions. As an interim measure, restrict network access to the Controller service using firewall rules or network segmentation to limit exposure to untrusted sources.
Patch guidance
Contact your vendor to obtain the patched version of Controller. Verify the patch version against the official security advisory before deployment. Test the patched version in a non-production environment to confirm compatibility with your existing configuration and integrations. Schedule a maintenance window to deploy the patch to production systems, prioritizing those in high-availability or customer-facing roles.
Detection guidance
Monitor Controller logs for repeated connection attempts, unexpected deserialization errors, or application crashes from unauthenticated sources. Network-based detection could identify repeated attempts to send malformed serialized payloads to the vulnerable endpoint. Baseline normal application behavior and alert on anomalies in service availability or resource consumption. Review access logs for any requests originating from unexpected IP ranges.
Why prioritize this
This vulnerability merits high priority due to its network accessibility, ease of exploitation, and direct impact on service availability. No authentication is required, and the attack surface is large for internet-facing instances. Organizations should patch promptly to avoid potential service disruptions.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects the combination of network-accessible attack vector, low complexity, and denial-of-service impact on availability. The score does not account for confidentiality or integrity, which are not affected. In environments where Controller availability is critical or service downtime carries significant business cost, the operational risk may exceed the base CVSS score.
Frequently asked questions
Is authentication required to exploit this vulnerability?
No. The vulnerability is exploitable by an unauthenticated attacker with only network access to the affected service.
Can an attacker steal data or modify information using this vulnerability?
No. The vulnerability causes denial of service only. Confidentiality and integrity are not compromised. An attacker cannot read or alter data, only disrupt availability.
What versions of Controller are affected?
Controller version 12.0.5 is confirmed vulnerable. Verify your installed version and check the vendor advisory for a complete list of affected versions and the corresponding patched versions.
How quickly should we patch this vulnerability?
Given the ease of exploitation and lack of authentication requirements, patching should be prioritized within your normal security update cycle. For critical systems or internet-facing deployments, expedited patching is recommended.
This analysis is based on publicly available information as of the publication date. Vendor advisory details, patch versions, and availability timelines should be verified directly with the vendor. Organizations should conduct their own risk assessment based on their specific deployment context, business criticality, and threat environment. No exploit code or detailed attack methodology is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)