Plugin Vulnerability in EMQX Dashboard by EMQ Technologies
CVE-2025-52136

3LOW

Key Information:

Vendor: EMQx
Status: EMQx
Vendor: CVE Published:; 10 August 2025

What is CVE-2025-52136?

In EMQX versions before 5.8.6, a vulnerability exists that allows administrators to install arbitrary plugins via the Dashboard web interface. While the vendor suggests that this behavior is intended, it raises significant security concerns as it can lead to unauthorized plugin installs. Following the release of version 5.8.6, a new defensive feature was introduced, enabling administrators to control plugin acceptability by using the 'emqx ctl plugins allow' command in the CLI. This enhancement adds an extra layer of security to plugin management within the EMQX Dashboard.

Affected Version(s)

EMQX 0 < 5.8.6

References

https://github.com/ricardojoserf/emqx-RCE

https://docs.emqx.com/en/emqx/latest/dashboard/introducti...

https://docs.emqx.com/en/emqx/latest/deploy/install-docke...

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 10, 2025
Vulnerability Reserved
Jun 16, 2025

EMQx

What is CVE-2025-52136?

Affected Version(s)

References

CVSS V3.1

Timeline