Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

M-Way Solutions: Relution: Java Deserialization in Inter-Cluster Communication

CVE-2023-48178 Critical Published
CVSS
9.8 Critical
EPSS
0
CWE
CWE-502 Deserialization of Untrusted Data
Vector

Summary

Per Praetorian’s blog: “In this article we discuss a recent deserialization vulnerability we found in Relution (CVE-2023-48178), a mobile device management product that is popular among multinational German corporations. CVE-2023-48178 can potentially lead to remote code execution and complete compromise of the MDM application and clients managed by the solution. The deserialization vulnerability exists in a component of the application used for inter-cluster communication within multi-cluster deployments.”

Affected Packages / Versions

  • Package: Relution Mobile Device Management (—)
  • Latest published version at triage time: Per Praetorian's blog: tested on a Docker image running Java 17
  • Affected range: Per Praetorian's blog: "the component used for inter-cluster communication between instances of the Relution application" (JGroups, port 7800)
  • Patched version: See Relution security advisory (NVD record was not present at fetch time)

Impact

Per Praetorian’s blog: “The component uses the JGroups library and is enabled by default. According to the Relution documentation, the cluster communication uses port 7800 and ‘need to be opened on the firewall for incoming and outgoing connections from/to the Internet’. (Side note: while the documentation states that port 7800 needs to be accessible from the internet, our scans indicated that none were actually exposed. The exploitation vector required is a local network connection where port 7800 is accessible, like from an internal network.)” Praetorian’s blog also notes Java 17 / 16 reflection restrictions partially limited public gadget chains.

Severity Rationale

NVD has no record of CVE-2023-48178 at fetch time. Praetorian’s cve-research listing scores it CVSS 9.8 (Critical). Reviewer should confirm the score source and re-fetch NVD before publication.

Fix

Apply the Relution vendor update. The blog does not enumerate a specific fixed version — confirm against the Relution security advisory before publication.

Disclosure timeline

  • TBDReported to vendor
  • TBDPatch released
  • TBDPublic disclosure

Fix Commit(s)

    References

    Discovered by Praetorian Labs · Published April 29, 2026