Deserialisation vulnerabilities are often difficult to exploit. In most cases, you need access to the source code to identify the available classes or libraries used. This allows you to choose a suitable gadget chain or build a new one.
However, access to the source code is not always possible. It generally requires high privileges or the prior exploitation of another vulnerability.