Cyber Resilience

CVE-2025-55010

CriticalPublic PoCRCE

Published: 12 August 2025

Published
12 August 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0889 92.7th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55010 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kanboard Kanboard. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Kanboard, an open-source project management application built around the Kanban methodology, contains an unsafe deserialization flaw in the ProjectActivityEventFormatter component prior to version 1.2.47. The vulnerability, tracked as CVE-2025-55010 and assigned CWE-502, permits an authenticated administrator to supply arbitrary serialized PHP objects through the event["data"] column of the project_activities table, which the formatter then deserializes without validation.

An administrator can therefore craft a malicious payload that leverages existing PHP gadgets to write a web shell into the /plugins directory, resulting in remote code execution on the underlying host. The attack requires authenticated administrative access and the ability to modify database contents directly or via the application; once the shell is placed, the attacker obtains full control of the Kanboard instance and the server it runs on. The issue carries a CVSS 3.1 score of 9.1.

The project maintainers addressed the flaw in release 1.2.47 by updating the formatter logic, as documented in the corresponding GitHub security advisory GHSA-359x-c69j-q64r and the associated code commit. The EPSS score has remained flat at 0.0889 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities…

more

table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unsafe deserialization in Kanboard web application allows authenticated admins to instantiate arbitrary PHP objects for RCE (T1190), demonstrated by gadget chain to deploy web shell (T1505.003).

CVEs Like This One

CVE-2026-25924Same product: Kanboard Kanboard
CVE-2026-21881Same product: Kanboard Kanboard
CVE-2026-24885Same product: Kanboard Kanboard
CVE-2026-29056Same product: Kanboard Kanboard
CVE-2026-25031Shared CWE-502
CVE-2025-31103Shared CWE-502
CVE-2026-35537Shared CWE-502
CVE-2026-27369Shared CWE-502
CVE-2026-2471Shared CWE-502
CVE-2024-13770Shared CWE-502

Affected Assets

kanboard
kanboard
≤ 1.2.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to Kanboard version 1.2.47 directly eliminates the unsafe deserialization vulnerability.

prevent

Information input validation on the event["data"] field prevents instantiation of arbitrary PHP objects during deserialization.

prevent

Least privilege limits admin access to modify the project_activities table, reducing the attack surface for exploitation.

References