CVE-2025-15579 PUBLISHED

An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services.

Assigner: OpenText
Reserved: 17.02.2026 Published: 18.02.2026 Updated: 18.02.2026

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.

This issue affects Directory Services: from 10.5 through 26.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Red
CVSS Score: 9.5

Product Status

Vendor OpenText™
Product Directory Services
Versions Default: unaffected
  • affected from 10.5 to 26.1 (incl.)

Solutions

https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0859600&sys_kb_id=f82c01214707b6144549b6bd416d43b7&spa=1

Credits

  • Dylan Pindur - Assetnote finder
  • Adam Kues - Assetnote finder
  • Tomais Williamson - Assetnote finder

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE

Impacts

  • CAPEC-586 Object Injection