CVE-2025-2855
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2855 is a problematic vulnerability in elunez eladmin versions up to 2.7. It affects the checkFile function within the /api/deploy/upload file, where manipulation of the "servers" argument triggers deserialization of untrusted data. Classified under CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data), the issue carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-27.
The vulnerability enables remote exploitation by an attacker with high privileges (PR:H). With low attack complexity and no user interaction required, a successful exploit can result in low-level impacts on confidentiality, integrity, and availability within the unchanged scope.
Advisories provide further details via the GitHub issue at https://github.com/elunez/eladmin/issues/873 and VulDB references at https://vuldb.com/?ctiid.301502, https://vuldb.com/?id.301502, and https://vuldb.com/?submit.522504, which may include mitigation guidance or patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The deserialization of untrusted data vulnerability in the /api/deploy/upload endpoint allows remote exploitation of the web application, mapping to T1190 Exploit Public-Facing Application (even with PR:H requirement for reaching the vulnerable function).