Cyber Resilience

CVE-2025-9296

LowPublic PoC

Published: 21 August 2025

Published
21 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.1th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9296 is a low-severity Improper Access Control (CWE-284) vulnerability in Emlog Emlog. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9296 is a security vulnerability in Emlog Pro versions up to 2.5.18 that enables unrestricted file upload. The issue affects an unknown function within the file /admin/blogger.php?action=update_avatar, where manipulation of the image argument allows attackers to upload arbitrary files. Associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely over the network with low complexity and no user interaction required, but demands high privileges such as administrative access. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing attackers to upload malicious files that could lead to further compromise depending on server configuration.

Advisories referenced on VulDB and a GitHub issue detail the vulnerability and note that the exploit has been publicly disclosed. The vendor was contacted early regarding disclosure but provided no response, leaving no official patches or mitigation guidance available.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The…

more

exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1608.002 Upload Tool Resource Development
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Why these techniques?

Unrestricted file upload in public-facing web app (/admin/blogger.php?action=update_avatar) enables exploitation of public-facing application (T1190), deployment of web shells via uploaded malicious PHP scripts (T1505.003), and staging of tools/malware (T1608.002) without authentication.

CVEs Like This One

CVE-2026-22799Same product: Emlog Emlog
CVE-2025-25783Same product: Emlog Emlog
CVE-2025-29401Same product: Emlog Emlog
CVE-2026-21433Same product: Emlog Emlog
CVE-2025-30372Same product: Emlog Emlog
CVE-2026-34607Same product: Emlog Emlog
CVE-2026-21430Same product: Emlog Emlog
CVE-2025-25825Same product: Emlog Emlog
CVE-2025-61318Same product: Emlog Emlog
CVE-2026-31954Same product: Emlog Emlog

Affected Assets

emlog
emlog
≤ 2.5.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control policy on /admin/blogger.php?action=update_avatar so that only permitted operations on the image argument are allowed.

prevent

Requires validation of the uploaded image file type and content before acceptance, directly blocking unrestricted dangerous file uploads.

prevent

Restricts the administrative account to the minimum privileges required for avatar updates, reducing the impact surface of the exposed function.

References