CVE-2025-55010
Published: 12 August 2025
Summary
CVE-2025-55010 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kanboard Kanboard. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Kanboard, an open-source project management application built around the Kanban methodology, contains an unsafe deserialization flaw in the ProjectActivityEventFormatter component prior to version 1.2.47. The vulnerability, tracked as CVE-2025-55010 and assigned CWE-502, permits an authenticated administrator to supply arbitrary serialized PHP objects through the event["data"] column of the project_activities table, which the formatter then deserializes without validation.
An administrator can therefore craft a malicious payload that leverages existing PHP gadgets to write a web shell into the /plugins directory, resulting in remote code execution on the underlying host. The attack requires authenticated administrative access and the ability to modify database contents directly or via the application; once the shell is placed, the attacker obtains full control of the Kanboard instance and the server it runs on. The issue carries a CVSS 3.1 score of 9.1.
The project maintainers addressed the flaw in release 1.2.47 by updating the formatter logic, as documented in the corresponding GitHub security advisory GHSA-359x-c69j-q64r and the associated code commit. The EPSS score has remained flat at 0.0889 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24264
Vulnerability details
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities…
more
table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in Kanboard web application allows authenticated admins to instantiate arbitrary PHP objects for RCE (T1190), demonstrated by gadget chain to deploy web shell (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through patching to Kanboard version 1.2.47 directly eliminates the unsafe deserialization vulnerability.
Information input validation on the event["data"] field prevents instantiation of arbitrary PHP objects during deserialization.
Least privilege limits admin access to modify the project_activities table, reducing the attack surface for exploitation.