AI description
CVE-2025-54366 describes a critical deserialization vulnerability found in FreeScout versions 1.8.185 and below. The vulnerability exists in the `/conversation/ajax` endpoint. It allows authenticated users with knowledge of the `APP_KEY` to achieve remote code execution. The vulnerability occurs because the application processes the `attachments_all` and `attachments` POST parameters through the insecure `Helper::decrypt()` function. This function performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, potentially leading to a complete compromise of the web application. This has been fixed in version 1.8.186.
- Description
- FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-502
- Hype score
- Not currently trending
Articles worth reading discovered last week: AI, FileJacking and analysing CVE-2025-54366! 🤖 https://t.co/DOH3bVmBwy 🧠 https://t.co/2lRFsv307u 📂 https://t.co/ItwEe1j7BU 🔍 https://t.co/LTyLiYQaeo
@PentesterLab
10 Aug 2025
3515 Impressions
11 Retweets
58 Likes
34 Bookmarks
0 Replies
0 Quotes
Following @snyff's advice, wrote about N-Day analysis of CVE-2025-54366, deserialization of untrusted data leading to remote code execution in Freescout. Feedback is welcome. https://t.co/N8dElKoHQm
@0xm4v3rick
7 Aug 2025
503 Impressions
2 Retweets
8 Likes
3 Bookmarks
1 Reply
0 Quotes
CVE-2025-54366 Remote Code Execution in FreeScout Help Desk via Deserialization Vulnerability https://t.co/wp4ZipT8r5
@VulmonFeeds
26 Jul 2025
67 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54366 FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserial… https://t.co/F7n83qlhXF
@CVEnew
26 Jul 2025
346 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-54366: HIGH] Critical deserialization vulnerability in FreeScout 1.8.185 and below allows remote code execution via authenticated users with APP_KEY knowledge. Mitigate by updating to version 1.8.186.#cve,CVE-2025-54366,#cybersecurity https://t.co/PF6gXYE657 https://t.c
@CveFindCom
26 Jul 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes