CVE-2025-52136
BaseFortify
Publication date: 2025-08-10
Last updated on: 2025-08-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emqx | emqx | 5.8.6 |
| emqx | emqx | 5.8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52136 is a vulnerability in EMQX versions before 5.8.6 where administrators can install arbitrary plugins via the Dashboard web interface without sufficient authorization checks. This allows an attacker with dashboard access to deploy a malicious plugin that can execute arbitrary system commands on the server, effectively enabling remote code execution (RCE). The supplier considers this behavior intended, but version 5.8.6 introduced a defense-in-depth feature requiring explicit CLI authorization to approve plugins before installation, mitigating the risk. [2]
How can this vulnerability impact me? :
If you are using EMQX versions prior to 5.8.6 and have administrative access to the Dashboard, this vulnerability allows an attacker to install malicious plugins that can execute arbitrary commands on your server. This can lead to remote code execution, potentially compromising the server, leading to unauthorized control, data manipulation, or disruption of services. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your EMQX Dashboard is running a version prior to 5.8.6 and if unauthorized or novel plugins have been installed via the Dashboard interface. Since the Dashboard listens by default on port 18083, you can verify access to this port and inspect installed plugins. Additionally, monitoring for unusual plugin installation activity or unexpected plugin packages can indicate exploitation attempts. Specific commands are not provided in the resources, but you can use EMQX CLI commands to list installed plugins and check their approval status, for example: `emqx ctl plugins list` and `emqx ctl plugins allow` (in versions 5.8.6 and later). Also, reviewing Dashboard access logs and plugin installation events can help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your EMQX installation to version 5.8.6 or later, which introduces a defense-in-depth feature requiring explicit CLI authorization to approve plugins before installation via the Dashboard or HTTP API. If upgrading is not immediately possible, restrict access to the EMQX Dashboard (default port 18083) to trusted administrators only, enforce strong authentication, and monitor for unauthorized plugin installations. Additionally, use the `emqx ctl plugins allow` CLI command to control which plugins are permitted. Consider disabling plugin installation via the Dashboard if feasible until the upgrade is applied. [2, 1]