CVE-2025-5114

MEDIUM

Easycorp Zentao - Insecure Deserialization

Title source: rule

Description

A vulnerability has been found in easysoft zentaopms 21.5_20250307 and classified as critical. This vulnerability affects the function Edit of the file /index.php?m=editor&f=edit&filePath=cGhhcjovLy9ldGMvcGFzc3dk&action=edit of the component Committer. The manipulation of the argument filePath leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (5)

[Exploit, Mitigation, Third Party Advisory] https://github.com/3em0/cve_repo/blob/main/zentaopms/Phar%20Bypass%20Vulnerability%20in%20ZenTao.md

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://github.com/3em0/cve_repo/blob/main/zentaopms/Phar%20Bypass%20Vulnerability%20in%20ZenTao.md#exploitation

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.310090

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.310090

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.570727

Scores

CVSS v3 6.3

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (1)

easycorp/zentao

Timeline

Published May 23, 2025

Tracked Since Feb 18, 2026