| CVE | See the impact section in the advisory |
|---|---|
| Advisory Summary | Some security scanners, executed run directly in the server hosting Command Enterprise, detect the Azul version from its configuration files, and list all the potential CVE disclosed in Azul release notes, without checking if the related components are installed or how they are used. |
| Products or Components | Command Enterprise |
| Addressed in Release | No Impact to March Networks products |
| Severity | N/A |
| Ticket | SV-116 |
Description
Some security scanners, executed directly on the server hosting Command Enterprise, detect the Azul version from its configuration files and list all the potential CVEs disclosed in Azul release notes without checking if the related components are impacted, used, or even installed. In general, these issues are related to executing network API loading data or to loading untrusted code from the network. Command Enterprise services based on WSDL do sanity checks on data and don’t execute untrusted code. In some cases, affected components are not even installed. Command Enterprise 2.15, 2.16, and 2.17 use Azul Zulu OpenJDK version 11.48 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/july-2021/release-notes
- https://docs.azul.com/core/release/october-2021/release-notes
- https://docs.azul.com/core/release/january-2022/release-notes
- https://docs.azul.com/core/release/april-2022/release-notes
- https://docs.azul.com/core/release/july-2022/release-notes
- https://docs.azul.com/core/release/october-2022/release-notes
- https://docs.azul.com/core/release/january-2023/release-notes
- https://docs.azul.com/core/release/april-2023/release-notes
- https://docs.azul.com/core/release/july-2023/release-notes
All the CVEs related to Azul Zulu 11 listed in the above links either do not impact Command Enterprise 2.15, 2.16, 2.17, or are low and medium vulnerabilities. All of them have been fixed since Command Enterprise 2.18. Command Enterprise 2.18 and 2.19 use Azul Zulu OpenJDK version 11.66 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/october-2023/release-notes
- https://docs.azul.com/core/release/january-2024/release-notes
- https://docs.azul.com/core/release/april-2024/release-notes
- https://docs.azul.com/core/release/july-2024/release-notes
- https://docs.azul.com/core/release/october-2024/release-notes
All the CVE related to Azul Zulu 11 listed in the above links are not impacting Command Enterprise 2.18 or 2.19 or low and medium vulnerabilities. All of them are in any case fixed since Command Enterprise 2.20. Command Enterprise 2.20 and 2.21 use Azul Zulu OpenJDK version 11.76 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/january-2025/release-notes
- https://docs.azul.com/core/release/april-2025/release-notes
All the CVE related to Azul Zulu 11 listed in the above links are not impacting Command Enterprise 2.20 or 2.21 or low and medium vulnerabilities. All of them are in any case fixed since Command Enterprise 2.22. Command Enterprise 2.22 use Azul Zulu OpenJDK version 11.80 (CA), for which several fixes for known CVE were released. See the ones related to Azul Zulu 11 in:
- https://docs.azul.com/core/release/july-2025/release-notes
- https://docs.azul.com/core/release/october-2025/release-notes
All the CVE related to Azul Zulu 11 listed in the above links are not impacting Command Enterprise 2.22, with the exception of the CVE-2025-53057 medium vulnerability, that will be closed in a future release of Command Enterprise .
March Networks continuously monitor new issues in software components used in our products and services and communicate their impact accordingly to our security policies. For high and critical vulnerabilities, we send a notification over our Partner Portal in advance of a public disclosure. For medium and low vulnerabilities, we recommend updating to our latest released versions.
Impact
Below, we exhaustively list in detail all the CVE with a fix delivered in Azul Zulu releases from 11.50 to 11.82, with the impact on Command Enterprise.
| Azul Zulu release 11.50 | Â |
|---|---|
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.52 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.54 | Â |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.56 | Â |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies only if the zlib library is used outside the Azul Zulu Java environment. No impact on Command Enterprise, since it doesn’t provide access to this library outside the Azul Zulu Java environment. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.58 | Â |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. No impact on Command Enterprise. | |
| Azul Zulu release 11.60 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.62 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.64 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies to data received or sent over a half-duplex TLS session. No impact on Command Enterprise, since it receives or sends sensitive data only on authenticated full-duplex TLS sessions. | |
| Â Apply to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.66 (used since Command Enterprise 2.18) | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply to data loaded over a network API. Low risk vulnerabilities, closed with Command Enterprise 2.18. | |
| Azul Zulu release 11.68 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.70 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Â Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Azul Zulu release 11.72 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Apply to data loaded over a network API. No impact on Command Enterprise, since it uses the API only with trusted data. | |
| Azul Zulu release 11.74 | Â |
| Applies to data loaded over a network API. Low impact on Command Enterprise when its default TLS setting is used. We recommend keeping TLS 1.2 version as minimum and to consider TLS 1.2 enforcing forward encryptions and strong ciphers (please refer to the installation guide for details). Closed with Command Enterprise 2.20. | |
| Applies to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.20. | |
| Applies to data loaded over a network API. No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Azul Zulu release 11.76 (used since Command Enterprise 2.20) | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| Applies to data loaded over a network API. Low or medium risk vulnerabilities, closed with Command Enterprise 2.22. | |
| Azul Zulu release 11.78 | Â |
| Applies to data loaded over a network API. Medium risk vulnerability, closed with Command Enterprise 2.22. | |
| Azul Zulu release 11.80 | Â |
| No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies to data loaded over a network API. Low impact on Command Enterprise when its default TLS setting is used. We recommend keeping TLS 1.2 version as minimum and to consider TLS 1.2 enforcing forward encryptions and strong ciphers (please refer to the installation guide for details). Closed with Command Enterprise 2.22. | |
| Applies to data loaded over a network API. Medium risk vulnerability, closed with Command Enterprise 2.22. | |
| Azul Zulu release 11.82 | Â |
| Apply only when loading untrusted code. No impact on Command Enterprise, since it runs only trusted code, installed on its hosting server without loading anything from the network. | |
| No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Azul Zulu release 11.84 | Â |
| No impact on Command Enterprise, since related to components or protocols not used by it. | |
| Applies to data loaded over a network API. Medium risk vulnerability, will be closed in a future release of Command Enterprise |
Revision
October 21, 2025 – Updated public report
Disclaimer
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and the system being deployed and configured in accordance with March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry-leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes for our supported products if and when a high-security vulnerability is determined to affect March Networks products.