fkie_cve-2025-52136
Vulnerability from fkie_nvd
Published
2025-08-10 04:15
Modified
2025-08-12 15:15
Severity ?
3.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
Summary
In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.
References
cve@mitre.orghttps://docs.emqx.com/en/emqx/latest/dashboard/introduction.html
cve@mitre.orghttps://docs.emqx.com/en/emqx/latest/deploy/install-docker.html
cve@mitre.orghttps://github.com/ricardojoserf/emqx-RCE
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/ricardojoserf/emqx-RCE
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier\u0027s position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin\u0027s acceptability (for later Dashboard installation) is set by the \"emqx ctl plugins allow\" CLI command."
    },
    {
      "lang": "es",
      "value": "En EMQX anterior a la versi\u00f3n 5.8.6, los administradores pod\u00edan instalar complementos nuevos a su elecci\u00f3n mediante la interfaz web del Dashboard. NOTA: El proveedor considera que este es el comportamiento previsto; sin embargo, la versi\u00f3n 5.8.6 a\u00f1ade una funci\u00f3n de defensa en profundidad que permite configurar la aceptabilidad de un complemento (para su posterior instalaci\u00f3n en el Dashboard) mediante el comando CLI \"emqx ctl plugins allow\"."
    }
  ],
  "id": "CVE-2025-52136",
  "lastModified": "2025-08-12T15:15:30.080",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.0,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 1.4,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-10T04:15:33.913",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/ricardojoserf/emqx-RCE"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/ricardojoserf/emqx-RCE"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.