CVE-2025-52136 (GCVE-0-2025-52136)

Vulnerability from cvelistv5 – Published: 2025-08-10 00:00 – Updated: 2025-08-12 14:27
VLAI?
Summary
In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.
Severity ?
3 (Low)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
EMQX EMQX Affected: 0 , < 5.8.6 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52136",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-12T14:27:21.450060Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-12T14:27:35.318Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ricardojoserf/emqx-RCE"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EMQX",
          "vendor": "EMQX",
          "versions": [
            {
              "lessThan": "5.8.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:emqx:emqx:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.8.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier\u0027s position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin\u0027s acceptability (for later Dashboard installation) is set by the \"emqx ctl plugins allow\" CLI command."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-10T03:16:32.155Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/ricardojoserf/emqx-RCE"
        },
        {
          "url": "https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html"
        },
        {
          "url": "https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-52136",
    "datePublished": "2025-08-10T00:00:00.000Z",
    "dateReserved": "2025-06-16T00:00:00.000Z",
    "dateUpdated": "2025-08-12T14:27:35.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-52136\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-08-10T04:15:33.913\",\"lastModified\":\"2025-08-12T15:15:30.080\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier\u0027s position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin\u0027s acceptability (for later Dashboard installation) is set by the \\\"emqx ctl plugins allow\\\" CLI command.\"},{\"lang\":\"es\",\"value\":\"En EMQX anterior a la versi\u00f3n 5.8.6, los administradores pod\u00edan instalar complementos nuevos a su elecci\u00f3n mediante la interfaz web del Dashboard. NOTA: El proveedor considera que este es el comportamiento previsto; sin embargo, la versi\u00f3n 5.8.6 a\u00f1ade una funci\u00f3n de defensa en profundidad que permite configurar la aceptabilidad de un complemento (para su posterior instalaci\u00f3n en el Dashboard) mediante el comando CLI \\\"emqx ctl plugins allow\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"references\":[{\"url\":\"https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/ricardojoserf/emqx-RCE\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/ricardojoserf/emqx-RCE\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52136\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-12T14:27:21.450060Z\"}}}], \"references\": [{\"url\": \"https://github.com/ricardojoserf/emqx-RCE\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-12T14:27:32.387Z\"}}], \"cna\": {\"tags\": [\"disputed\"], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"EMQX\", \"product\": \"EMQX\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.8.6\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/ricardojoserf/emqx-RCE\"}, {\"url\": \"https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html\"}, {\"url\": \"https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier\u0027s position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin\u0027s acceptability (for later Dashboard installation) is set by the \\\"emqx ctl plugins allow\\\" CLI command.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754 Improper Check for Unusual or Exceptional Conditions\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:emqx:emqx:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.8.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-08-10T03:16:32.155Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-52136\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-12T14:27:35.318Z\", \"dateReserved\": \"2025-06-16T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-08-10T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.