CVE-2025-52136

In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.

CVSS v3 3.0 LOW

3.0^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html
https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html
https://github.com/ricardojoserf/emqx-RCE
https://github.com/ricardojoserf/emqx-RCE

Configurations

No configuration.

History

12 Aug 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://github.com/ricardojoserf/emqx-RCE -~~	() https://github.com/ricardojoserf/emqx-RCE -

11 Aug 2025, 18:32

Type	Values Removed	Values Added
Summary		(es) En EMQX anterior a la versión 5.8.6, los administradores podían instalar complementos nuevos a su elección mediante la interfaz web del Dashboard. NOTA: El proveedor considera que este es el comportamiento previsto; sin embargo, la versión 5.8.6 añade una función de defensa en profundidad que permite configurar la aceptabilidad de un complemento (para su posterior instalación en el Dashboard) mediante el comando CLI "emqx ctl plugins allow".

10 Aug 2025, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-10 04:15

Updated : 2025-08-12 15:15

NVD link : CVE-2025-52136

Mitre link : CVE-2025-52136

CVE.ORG link : CVE-2025-52136

JSON object : View

Products Affected

No product.

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

3.0 /10