Cyber Resilience

CVE-2025-29401

CriticalPublic PoCRCE

Published: 19 March 2025

Published
19 March 2025
Modified
16 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29401 is a critical-severity Code Injection (CWE-94) vulnerability in Emlog Emlog. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-29401 is an arbitrary file upload vulnerability in the /views/plugin.php component of emlog pro version 2.5.7. This flaw allows attackers to upload crafted PHP files, resulting in arbitrary code execution on the server. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by sending a malicious request to the affected endpoint. Successful exploitation grants attackers the ability to execute arbitrary code with the privileges of the web server process, potentially leading to full server compromise, including high-impact confidentiality breaches, integrity modifications, and availability disruptions.

References for this CVE point to GitHub repositories hosting documentation on emlog pro 2.5.7, specifically a file titled "emlog pro2.5.7-getshell.md," which details the exploit technique for achieving remote code execution. No official patch or mitigation guidance is specified in the provided information.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file upload in public-facing web application (/views/plugin.php) enables exploitation of public-facing application (T1190) and deployment/execution of web shells via crafted PHP files (T1100, T1505.003).

CVEs Like This One

CVE-2026-22799Same product: Emlog Emlog
CVE-2025-9296Same product: Emlog Emlog
CVE-2026-21433Same product: Emlog Emlog
CVE-2025-30372Same product: Emlog Emlog
CVE-2025-25783Same product: Emlog Emlog
CVE-2026-34607Same product: Emlog Emlog
CVE-2026-21430Same product: Emlog Emlog
CVE-2025-25825Same product: Emlog Emlog
CVE-2025-61318Same product: Emlog Emlog
CVE-2026-31954Same product: Emlog Emlog

Affected Assets

emlog
emlog
2.5.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents arbitrary file upload exploitation by validating uploaded files to reject crafted PHP payloads leading to code execution.

prevent

Addresses the specific flaw in /views/plugin.php through timely identification, reporting, and remediation of the vulnerability.

prevent

Blocks malicious PHP code execution by scanning uploads for malicious content at web entry points.

References