Deserialization Vulnerability in MaxD Lightning Module for OpenCart
CVE-2025-0974

2.3LOW

Key Information:

Vendor
Maxd
Status
Lightning Module
Vendor
CVE Published:
3 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A deserialization vulnerability exists in the MaxD Lightning Module version 4.43 for OpenCart. This flaw can be exploited remotely by manipulating specific arguments, leading to unintended data handling during deserialization processes. Although the complexity of executing such an attack is elevated, public disclosure of the exploit vectors poses significant risks, as attackers may leverage this information to compromise affected systems. As a result, immediate remediation is advised to mitigate potential threats.

Affected Version(s)

Lightning Module 4.43

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0974 - Proof of Concept

References

https://vuldb.com/?id.294365
vdb-entrytechnical-description
https://vuldb.com/?ctiid.294365
signaturepermissions-required
https://vuldb.com/?submit.489672
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

mcdruid (VulDB User)
.