{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-52136", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-08-12T14:27:35.318Z", "dateReserved": "2025-06-16T00:00:00.000Z", "datePublished": "2025-08-10T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EMQX", "vendor": "EMQX", "versions": [{"lessThan": "5.8.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the \"emqx ctl plugins allow\" CLI command."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-08-10T03:16:32.155Z"}, "references": [{"url": "https://github.com/ricardojoserf/emqx-RCE"}, {"url": "https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html"}, {"url": "https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html"}], "tags": ["disputed"], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emqx:emqx:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.8.6"}]}]}]}, "adp": [{"references": [{"url": "https://github.com/ricardojoserf/emqx-RCE", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T14:27:21.450060Z", "id": "CVE-2025-52136", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T14:27:35.318Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52136", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T14:27:21.450060Z"}}}], "references": [{"url": "https://github.com/ricardojoserf/emqx-RCE", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T14:27:32.387Z"}}], "cna": {"tags": ["disputed"], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "EMQX", "product": "EMQX", "versions": [{"status": "affected", "version": "0", "lessThan": "5.8.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/ricardojoserf/emqx-RCE"}, {"url": "https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html"}, {"url": "https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the \"emqx ctl plugins allow\" CLI command."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emqx:emqx:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.8.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-08-10T03:16:32.155Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52136", "state": "PUBLISHED", "dateUpdated": "2025-08-12T14:27:35.318Z", "dateReserved": "2025-06-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-08-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the \"emqx ctl plugins allow\" CLI command."}, {"lang": "es", "value": "En EMQX anterior a la versi\u00f3n 5.8.6, los administradores pod\u00edan instalar complementos nuevos a su elecci\u00f3n mediante la interfaz web del Dashboard. NOTA: El proveedor considera que este es el comportamiento previsto; sin embargo, la versi\u00f3n 5.8.6 a\u00f1ade una funci\u00f3n de defensa en profundidad que permite configurar la aceptabilidad de un complemento (para su posterior instalaci\u00f3n en el Dashboard) mediante el comando CLI \"emqx ctl plugins allow\"."}], "id": "CVE-2025-52136", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-08-10T04:15:33.913", "references": [{"source": "cve@mitre.org", "url": "https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html"}, {"source": "cve@mitre.org", "url": "https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html"}, {"source": "cve@mitre.org", "url": "https://github.com/ricardojoserf/emqx-RCE"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ricardojoserf/emqx-RCE"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"created": "2025-08-12T07:41:45.059350+00:00", "updated": "2025-08-12T07:41:45.059417+00:00", "vendors": ["emqx", "emqx$PRODUCT$emqx"]}