Cyber Resilience

CVE-2025-43960

HighPublic PoCRCE

Published: 25 August 2025

Published
25 August 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0051 66.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43960 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adminer Adminer. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-43960 is a denial-of-service vulnerability affecting Adminer 4.8.1 when Monolog is used for logging. It stems from a PHP object injection issue triggered by a crafted serialized payload, such as one using an excessively large string length like s:1000000000. This causes significant memory consumption, rendering the Adminer interface unresponsive and leading to server-level resource exhaustion. The vulnerability is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) and is associated with CWE-502 (Deserialization of Untrusted Data).

Remote, unauthenticated attackers can exploit this vulnerability by sending a malicious serialized object to Adminer. Successful exploitation forces excessive memory usage, resulting in a denial of service where the server becomes unresponsive. While the server may recover after several minutes, multiple simultaneous requests can precipitate a complete crash requiring manual intervention.

References indicate mitigation through upgrading to Adminer 4.8.2, as shown in the GitHub compare between v4.8.1 and v4.8.2 releases. A proof-of-concept exploit is available in the repository at github.com/far00t01/CVE-2025-43960, and additional details can be found on the official Adminer site at adminer.org and the Monolog repository at github.com/Seldaek/monolog.

EU & UK References

Vulnerability details

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized…

more

object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.001 OS Exhaustion Flood Impact
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE-2025-43960 enables unauthenticated remote attackers to trigger PHP Object Injection in Adminer with Monolog, causing memory exhaustion that renders the application unresponsive or crashes the server, facilitating OS exhaustion flood (T1499.001), application exhaustion flood (T1499.003), and application/system exploitation for DoS (T1499.004).

CVEs Like This One

CVE-2026-25892Same product: Adminer Adminer
CVE-2025-1403Shared CWE-502
CVE-2025-22777Shared CWE-502
CVE-2025-33213Shared CWE-502
CVE-2026-7635Shared CWE-502
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2026-21226Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2026-29782Shared CWE-502

Affected Assets

adminer
adminer
4.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the PHP object injection vulnerability by applying patches like upgrading Adminer to version 4.8.2, eliminating the root cause of memory exhaustion.

prevent

Denial-of-service protection implements mechanisms like rate limiting and resource quotas to block or limit crafted serialized payloads causing excessive memory consumption and server crashes.

prevent

Information input validation detects and rejects malformed serialized payloads with excessive lengths before they reach the Monolog logging mechanism, mitigating the object injection trigger.

References