CVE-2025-55010

CriticalPublic PoCRCE

Published: 12 August 2025

Published

12 August 2025

Modified

22 August 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0525 90.0th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55010 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kanboard Kanboard. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching to Kanboard version 1.2.47 directly eliminates the unsafe deserialization vulnerability.

SI-10 Information Input Validation good match

prevent

Information input validation on the event["data"] field prevents instantiation of arbitrary PHP objects during deserialization.

AC-6 Least Privilege partial match

prevent

Least privilege limits admin access to modify the project_activities table, reducing the attack surface for exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unsafe deserialization in Kanboard web application allows authenticated admins to instantiate arbitrary PHP objects for RCE (T1190), demonstrated by gadget chain to deploy web shell (T1505.003).

NVD Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities…

table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.

Deeper analysisAI

CVE-2025-55010 is an unsafe deserialization vulnerability (CWE-502) in Kanboard, an open-source project management software focused on the Kanban methodology. The issue affects versions prior to 1.2.47 and resides in the ProjectEventActivityFormatter component, which allows admin users to instantiate arbitrary PHP objects by modifying the event["data"] field in the project_activities database table.

Admin users with high privileges can exploit this vulnerability remotely with low complexity and no user interaction required, leading to a scope change and high impacts across confidentiality, integrity, and availability (CVSS 9.1). By updating the event["data"] field with a PHP gadget chain, an attacker can write a web shell into the /plugins folder, achieving remote code execution on the host system.

The vulnerability has been addressed in Kanboard version 1.2.47, as detailed in the project's GitHub security advisory (GHSA-359x-c69j-q64r) and the associated patch commit. Security practitioners should upgrade to the fixed version and review access controls for admin users on affected installations.