Organizations utilizing Bitdefender GravityZone Console should prioritize this update, given the vulnerability’s critical nature and the sensitive role that security management platforms play in organizational defense. The flaw tracked as CVE-2025-2244 has a CVSS score of 9.5. It stems from an insecure PHP deserialization issue that poses significant risks to enterprise security infrastructures relying on this widely used endpoint protection solution. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The flaw exists specifically in the sendMailFromRemoteSource method within the Emails.php file, where the application unsafely uses PHP’s unserialize() function on user-controlled input without proper validation. PHP object injection vulnerabilities continue to be discovered in enterprise applications, emphasizing the need for secure coding practices and regular security assessments. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Through this attack vector, malicious actors can exploit PHP’s magic methods to perform file operations and ultimately achieve arbitrary command execution on the hosting server. The vulnerability was discovered and reported by security researcher Nicolas Verdier (@n1nj4sec) as part of responsible disclosure. Bitdefender has addressed this vulnerability in GravityZone Console version 6.41.2-1, which has been released as an automatic update. The fix implements proper input validation before deserialization and adopts safer alternatives to PHP’s native unserialize() function. This could lead to complete compromise of the GravityZone management console and potentially provide a foothold for lateral movement within the organization’s network.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 06:00:03 +0000