PHP Object Injection Vulnerability in Bitdefender GravityZone Console
CVE-2025-2244

9.5CRITICAL

Key Information:

Vendor: Bitdefender
Status: Gravityzone Console
Vendor: CVE Published:; 4 April 2025

🔔 Create Bitdefender Vulnerability Alert

What is CVE-2025-2244?

The vulnerability arises from the unsafely implemented sendMailFromRemoteSource method in Emails.php of the Bitdefender GravityZone Console, which makes use of php unserialize() on input from users without proper validation. This flaw allows an attacker to create a specially crafted serialized payload that triggers a PHP object injection. If exploited, this could enable the attacker to execute arbitrary commands on the host system and potentially perform file write operations.

Affected Version(s)

GravityZone Console 0 < 6.41.2-1

References

http://bitdefender.com/support/security-advisories/insecu...

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

Nicolas Verdier (@n1nj4sec)