Unknown: Thorn SFTP Gateway: Unauthenticated Java Deserialization RCE in OAuth2 Cookie Handler
CWE-502
Deserialization of Untrusted Data
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Per NVD: “Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution.” Per Praetorian’s blog: the deserialize call is reachable via the oauth2_authorization_request cookie on the /login/oauth2/code/{registrationId} endpoint.
Affected Packages / Versions
- Package:
Thorn SFTP Gateway(—) - Latest published version at triage time:
3.4.x prior to 3.4.4 - Affected range:
Thorn SFTP gateway 3.4.x before 3.4.4 (per NVD) - Patched version:
Thorn SFTP Gateway 3.4.4
Impact
Per Praetorian’s blog: “unauthenticated remote code execution in the Thorn SFTP Gateway Admin portal.” Specific post-exploitation outcomes are not enumerated in the blog body — the framing is researcher-discovered RCE with PoC built using ysoserial and a Java RMI payload.
Severity Rationale
NVD CVSS 9.8 (Critical): network AV, low complexity, no privileges or UI, full CIA.
Fix
Per NVD, upgrade to Thorn SFTP Gateway 3.4.4“ or later. Per Praetorian’s blog: “Thorn Tech was extremely responsive and completed the patch only a few days after we initially contacted them.”
Disclosure timeline
- TBDReported to Thorn Tech
- TBDPatch released (Thorn SFTP Gateway 3.4.4)
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026