CVE-2025-2244

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize() on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write, and gain arbitrary command execution on the host system.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://bitdefender.com/support/security-advisories/insecure-php-deserialization-issue-in-gravityzone-console-va-12634	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*

History

30 Jul 2025, 19:04

Type	Values Removed	Values Added
CPE		cpe:2.3:a:bitdefender:gravityzone::::::::
First Time		Bitdefender Bitdefender gravityzone
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() http://bitdefender.com/support/security-advisories/insecure-php-deserialization-issue-in-gravityzone-console-va-12634 -~~	() http://bitdefender.com/support/security-advisories/insecure-php-deserialization-issue-in-gravityzone-console-va-12634 - Vendor Advisory

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en el método sendMailFromRemoteSource de Emails.php, utilizado en Bitdefender GravityZone Console, utiliza de forma insegura la función php unserialize() en la entrada proporcionada por el usuario sin validación. Al manipular un payload serializado malicioso, un atacante puede activar la inyección de objetos PHP, escribir en un archivo y ejecutar comandos arbitrarios en el sistema host.

04 Apr 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-04 10:15

Updated : 2025-07-30 19:04

NVD link : CVE-2025-2244

Mitre link : CVE-2025-2244

CVE.ORG link : CVE-2025-2244

JSON object : View

Products Affected

bitdefender

gravityzone

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-2244", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-04T10:15:16.580", "references": [{"url": "http://bitdefender.com/support/security-advisories/insecure-php-deserialization-issue-in-gravityzone-console-va-12634", "tags": ["Vendor Advisory"], "source": "cve-requests@bitdefender.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-requests@bitdefender.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the\u00a0sendMailFromRemoteSource\u00a0method in Emails.php\u00a0 as used in Bitdefender GravityZone Console unsafely uses php unserialize()\u00a0on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write, and gain arbitrary command execution on the host system."}, {"lang": "es", "value": "Una vulnerabilidad en el m\u00e9todo sendMailFromRemoteSource de Emails.php, utilizado en Bitdefender GravityZone Console, utiliza de forma insegura la funci\u00f3n php unserialize() en la entrada proporcionada por el usuario sin validaci\u00f3n. Al manipular un payload serializado malicioso, un atacante puede activar la inyecci\u00f3n de objetos PHP, escribir en un archivo y ejecutar comandos arbitrarios en el sistema host."}], "lastModified": "2025-07-30T19:04:47.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5A7430E-6DF9-4C56-875F-F0378C741E71", "versionEndExcluding": "6.41.2-1"}], "operator": "OR"}]}], "sourceIdentifier": "cve-requests@bitdefender.com"}