CRITICAL🇵🇱 Wersja polska

CVE-2025-25783

CVSS 9.8v3.1pub. 2025-02-26upd. 2026-07-05

An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.

🤖 AI Analysis
How it works

The vulnerability mechanism is based on the lack of proper validation of uploaded files (CWE-434 – Unrestricted Upload of File with Dangerous Type). The attacker uploads a crafted Zip file to the plugin handling component (admin\plugin.php). On the server side, the file is extracted and processed without verification of its contents, which allows placement of a malicious executable file (e.g., webshell) in the application's accessible directory. As a result, the attacker can invoke this file and execute arbitrary system commands.

Impact

An attacker can gain full control over the server – execute arbitrary code (RCE), access confidential data, modify application content, or use the server as a launching point for further attacks on the internal network.

Mitigation & patch

Apply patches available from the vendor according to the references (https://www.emlog.net/). Until the update is applied, it is recommended to restrict access to the administrative panel exclusively to trusted IP addresses and monitor the plugins directory for unauthorized files.

Who is affected

Emlog Pro v2.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Emlog

    APP
    Emlog
    2.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-22799CRITICAL9.3PL ✓ten sam produkt

Emlog: nieautoryzowany upload pliku PHP przez REST API — RCE

CVE-2025-61318CRITICAL9.1PL ✓ten sam produkt

Emlog Pro – arbitralne usuwanie plików przez path traversal

CVE-2025-29401CRITICAL9.8PL ✓ten sam produkt

RCE przez dowolne przesyłanie plików w Emlog Pro 2.5.7

CVE-2023-44974CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers...

CVE-2023-44973CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attacke...