Cyber Resilience

CVE-2026-25614

HighRCE

Published: 03 February 2026

Published
03 February 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25614 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Phillipsdata Blesta. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25614 is an object injection vulnerability (CWE-502), tracked as CORE-5680, affecting Blesta versions 3.x through 5.x prior to 5.13.3. This flaw enables attackers to inject malicious objects into the application's serialization process, potentially leading to arbitrary code execution or other severe impacts depending on the deserialized classes available in the environment.

Exploitation requires low privileges (PR:L), can be performed over the network (AV:N) without user interaction (UI:N), but demands high attack complexity (AC:H) with unchanged scope (S:U). A successful attack yields high impacts on confidentiality, integrity, and availability (C:I:A:H), as reflected in the CVSS v3.1 base score of 7.5. Low-privileged users, such as authenticated customers or staff with limited access, could leverage this to escalate privileges or compromise the hosting environment.

Mitigation involves upgrading to Blesta 5.13.3 or later, as indicated by the vulnerability's versioning scope. Additional details are available in the official Blesta security advisory at https://www.blesta.com/2026/01/28/security-advisory/ and the Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2026/Feb/2.

EU & UK References

Vulnerability details

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Object injection (deserialization) vuln in public-facing Blesta app directly enables remote exploitation by low-priv users leading to RCE/priv esc, mapping to T1190 for initial access, T1068 for escalation, and T1059 for resulting code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25615Same product: Phillipsdata Blesta
CVE-2026-29782Shared CWE-502
CVE-2025-54007Shared CWE-502
CVE-2026-42778Shared CWE-502
CVE-2025-60215Shared CWE-502
CVE-2025-68047Shared CWE-502
CVE-2026-22345Shared CWE-502
CVE-2024-28988Shared CWE-502
CVE-2026-24978Shared CWE-502
CVE-2025-49869Shared CWE-502

Affected Assets

phillipsdata
blesta
3.0.0 — 5.13.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and correction of the specific object injection flaw in Blesta versions prior to 5.13.3.

prevent

Requires validation of untrusted inputs at system entry points to block malicious serialized objects from being deserialized.

prevent

Implements memory safeguards like ASLR and DEP to hinder arbitrary code execution even if object injection occurs.

References