Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialization. Given a deserialization gadget, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note: For Apache James servers running using Java versions <16, the ysoserial "CommonsBeanutils1" gadget can be used to execute arbitrary system commands. For Java versions >=16, an alternative vector needs to be identified as explained in this article.
The vendor's disclosure and fix for this vulnerability can be found here.
More details and the exploitation process can be found in this PDF.