A default Intrexx installation is most probably not affected by the zero-day exploit (CVE-2015-4852).
Furthermore, a close inspection of the Intrexx source code hasn’t found any places in which Java objects (the source of the problem) could be deserialized.
This especially applies to data that is transferred to Intrexx via the Web server. An attack option using the security flaw named above is ruled out here.
These initial, intensive source code analyses also show that an attack on the Intrexx Portal server using the discovered security flaw isn’t possible because of the Intrexx server architecture. Naturally, we are testing other possible angles of attack and if necessary, we will respond as quickly as possible with an Online Update.
As well as correcting feature defects and expanding Intrexx’s capabilities, Online Updates also always support the security of the implemented server. A prompt installation of Online Updates is therefore recommended.
Additional information regarding this topic can be found on the Apache blog: https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread