CVE-2025-9296
Published: 21 August 2025
Summary
CVE-2025-9296 is a low-severity Improper Access Control (CWE-284) vulnerability in Emlog Emlog. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9296 is a security vulnerability in Emlog Pro versions up to 2.5.18 that enables unrestricted file upload. The issue affects an unknown function within the file /admin/blogger.php?action=update_avatar, where manipulation of the image argument allows attackers to upload arbitrary files. Associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely over the network with low complexity and no user interaction required, but demands high privileges such as administrative access. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing attackers to upload malicious files that could lead to further compromise depending on server configuration.
Advisories referenced on VulDB and a GitHub issue detail the vulnerability and note that the exploit has been publicly disclosed. The vendor was contacted early regarding disclosure but provided no response, leaving no official patches or mitigation guidance available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25414
Vulnerability details
A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The…
more
exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app (/admin/blogger.php?action=update_avatar) enables exploitation of public-facing application (T1190), deployment of web shells via uploaded malicious PHP scripts (T1505.003), and staging of tools/malware (T1608.002) without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control policy on /admin/blogger.php?action=update_avatar so that only permitted operations on the image argument are allowed.
Requires validation of the uploaded image file type and content before acceptance, directly blocking unrestricted dangerous file uploads.
Restricts the administrative account to the minimum privileges required for avatar updates, reducing the impact surface of the exposed function.