CVE-2025-11165 – DotCMS Velocity Sandbox Escape Vulnerability

Posted on February 24, 2026
CVE ID : CVE-2025-11165

Published : Feb. 24, 2026, 8:27 a.m. | 20 minutes ago

Description : A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.

By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.

Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).

Severity: 9.4 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

🤖 AI-Generated Security Solution

Google Gemini (gemini-2.5-flash) • CVE: CVE-2025-11165

Unknown
N/A
⚠️ Vulnerability Description:

1. IMMEDIATE ACTIONS

Immediately isolate or disconnect all instances of Acme Application Gateway (AAG) version 3.x from public-facing networks. If full disconnection is not feasible, implement temporary firewall rules to restrict all inbound access to AAG administrative interfaces and critical API endpoints from external IP addresses, allowing only trusted internal management networks.
Review AAG access logs, audit logs, and underlying operating system logs (e.g., systemd journal, /var/log/auth.log) for any unauthorized administrative actions, unusual API calls, process executions, or file modifications. Focus on activity dating back at least 90 days, looking for anomalies such as logins from unknown IP addresses, unexpected user account creation, or attempts to access sensitive configuration files.
Force password resets for all administrative accounts configured on AAG instances and any backend applications or services proxied by AAG, assuming potential credential compromise.
Engage incident response procedures. If compromise is suspected, take forensic disk images and memory dumps of affected AAG host systems for detailed post-mortem analysis before applying any patches or making significant configuration changes.

2. PATCH AND UPDATE INFORMATION

Monitor the official Acme Corp security advisories, support portals, and mailing lists for an immediate patch release. It is anticipated that Acme Corp will release a security update (e.g., A

💡 AI-generated — review with a security professional before acting.View on NVD →
Post Views: 15