CVE-2025-27819: 
Java vulnerability analysis and mitigation

In CVE-2025-27819, Apache Kafka brokers were found to be vulnerable to Remote Code Execution (RCE) and Denial of Service attacks through SASL JAAS JndiLoginModule configuration. This vulnerability is an extension of the previously reported CVE-2023-25194, which initially only identified the vulnerability in Kafka Connect API. The vulnerability affects Apache Kafka versions 2.0.0 through 3.3.2, with the issue being publicly disclosed on June 9, 2025 (Kafka CVE List, Wiz).

The vulnerability exists in the SASL JAAS configuration of Apache Kafka brokers. To exploit this vulnerability, an attacker needs two key prerequisites: the ability to connect to the Kafka cluster and possession of AlterConfigs permission on the cluster resource. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to Remote Code Execution (RCE) or Denial of Service attacks when successfully exploited. The impact is particularly severe as it affects the core broker component of Apache Kafka, potentially compromising the entire messaging infrastructure (Kafka CVE List, Wiz).

Since Apache Kafka 3.4.0, a system property (-Dorg.apache.kafka.disallowed.login.modules) has been introduced to disable problematic login modules in SASL JAAS configuration. By default, com.sun.security.auth.module.JndiLoginModule is disabled in Apache Kafka 3.4.0, and both JndiLoginModule and LdapLoginModule are disabled by default in Apache Kafka versions 3.9.1 and 4.0.0. Users are advised to upgrade to version 3.9.1 or later for complete mitigation (Kafka CVE List).