CVE-2025-52136

low-risk
Published 2025-08-10

In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.0/10 Low
NETWORK / HIGH complexity

References (4)

https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html
https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html
https://github.com/ricardojoserf/emqx-RCE
https://github.com/ricardojoserf/emqx-RCE
16
/ 100
low-risk
Severity 11/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal