CVE-2025-47784
Published: 15 May 2025
Summary
CVE-2025-47784 is a medium-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Emlog Emlog. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28126
Vulnerability details
Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and…
more
return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability exploitable by registered users via crafted nickname causes admin dashboard crash due to failed deserialization and count exception, enabling application denial of service through exploitation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.