Cyber Posture

CVE-2025-29401

CriticalPublic PoCRCE

Published: 19 March 2025

Published
19 March 2025
Modified
16 June 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29401 is a critical-severity Code Injection (CWE-94) vulnerability in Emlog Emlog. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents arbitrary file upload exploitation by validating uploaded files to reject crafted PHP payloads leading to code execution.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in /views/plugin.php through timely identification, reporting, and remediation of the vulnerability.

SI-3 Malicious Code Protection good match
prevent

Blocks malicious PHP code execution by scanning uploads for malicious content at web entry points.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Arbitrary file upload in public-facing web application (/views/plugin.php) enables exploitation of public-facing application (T1190) and deployment/execution of web shells via crafted PHP files (T1100, T1505.003).

NVD Description

An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Deeper analysisAI

CVE-2025-29401 is an arbitrary file upload vulnerability in the /views/plugin.php component of emlog pro version 2.5.7. This flaw allows attackers to upload crafted PHP files, resulting in arbitrary code execution on the server. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by sending a malicious request to the affected endpoint. Successful exploitation grants attackers the ability to execute arbitrary code with the privileges of the web server process, potentially leading to full server compromise, including high-impact confidentiality breaches, integrity modifications, and availability disruptions.

References for this CVE point to GitHub repositories hosting documentation on emlog pro 2.5.7, specifically a file titled "emlog pro2.5.7-getshell.md," which details the exploit technique for achieving remote code execution. No official patch or mitigation guidance is specified in the provided information.

Details

CWE(s)
CWE-94

Affected Products

emlog
emlog
2.5.7

CVEs Like This One

CVE-2026-22799Same product: Emlog Emlog
CVE-2025-9296Same product: Emlog Emlog
CVE-2026-21433Same product: Emlog Emlog
CVE-2025-30372Same product: Emlog Emlog
CVE-2025-25783Same product: Emlog Emlog
CVE-2026-21430Same product: Emlog Emlog
CVE-2026-34607Same product: Emlog Emlog
CVE-2025-25823Same product: Emlog Emlog
CVE-2026-31954Same product: Emlog Emlog
CVE-2025-61318Same product: Emlog Emlog

References