CVE-2026-25614
Published: 03 February 2026
Summary
CVE-2026-25614 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Phillipsdata Blesta. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25614 is an object injection vulnerability (CWE-502), tracked as CORE-5680, affecting Blesta versions 3.x through 5.x prior to 5.13.3. This flaw enables attackers to inject malicious objects into the application's serialization process, potentially leading to arbitrary code execution or other severe impacts depending on the deserialized classes available in the environment.
Exploitation requires low privileges (PR:L), can be performed over the network (AV:N) without user interaction (UI:N), but demands high attack complexity (AC:H) with unchanged scope (S:U). A successful attack yields high impacts on confidentiality, integrity, and availability (C:I:A:H), as reflected in the CVSS v3.1 base score of 7.5. Low-privileged users, such as authenticated customers or staff with limited access, could leverage this to escalate privileges or compromise the hosting environment.
Mitigation involves upgrading to Blesta 5.13.3 or later, as indicated by the vulnerability's versioning scope. Additional details are available in the official Blesta security advisory at https://www.blesta.com/2026/01/28/security-advisory/ and the Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2026/Feb/2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5170
Vulnerability details
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Object injection (deserialization) vuln in public-facing Blesta app directly enables remote exploitation by low-priv users leading to RCE/priv esc, mapping to T1190 for initial access, T1068 for escalation, and T1059 for resulting code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and correction of the specific object injection flaw in Blesta versions prior to 5.13.3.
Requires validation of untrusted inputs at system entry points to block malicious serialized objects from being deserialized.
Implements memory safeguards like ASLR and DEP to hinder arbitrary code execution even if object injection occurs.