CVE-2025-52136

Published: Aug 10, 2025

Modified: Aug 12, 2025

PUBLISHED

CVSS v3.1

3.0

LOW

Description

In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.

Vendor	Product	Versions
EMQX	EMQX	affected `0 - < 5.8.6`

Weaknesses (CWE)

CWE-754

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/ricardojoserf/emqx-RCE

https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html

https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-52136

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References