Login Sign Up

CVE-2025-11135

7.3 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in pmTicket Project-Management-Software allows remote attackers to execute arbitrary code through deserialization of manipulated user_id parameter in the Cookie Handler component. The exploit is publicly available and can be initiated remotely without authentication. All users running affected versions are at risk.

💻 Affected Systems

Products:
  • pmTicket Project-Management-Software
Versions: All versions up to commit 2ef379da2075f4761a2c9029cf91d073474e7486
Operating Systems: All platforms running pmTicket
Default Config Vulnerable: ⚠️ Yes
Notes: Continuous delivery model means no specific version numbers available. All instances with the vulnerable code are affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to gain shell access, install malware, or exfiltrate sensitive data.

🟢

If Mitigated

Attack blocked at network perimeter or through input validation, resulting in no impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit demonstration available via asciinema recording. Attack can be initiated remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider workarounds or alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for user_id parameter to prevent deserialization attacks

Modify classes/class.database.php to validate/sanitize user_id input before processing

WAF Rule Implementation

all

Deploy web application firewall rules to block deserialization attempts

Add WAF rule to detect and block serialized object patterns in requests

🧯 If You Can't Patch

  • Isolate pmTicket instance behind strict network segmentation with no internet access
  • Implement application-level input validation and disable vulnerable functionality if possible

🔍 How to Verify

Check if Vulnerable:

Check if your pmTicket installation includes commit hash 2ef379da2075f4761a2c9029cf91d073474e7486 or earlier in git history

Check Version:

git log --oneline -1

Verify Fix Applied:

Test with known exploit payloads to ensure deserialization is no longer possible

📡 Detection & Monitoring

Log Indicators:

  • Unusual deserialization errors in application logs
  • Suspicious user_id parameter values in access logs

Network Indicators:

  • HTTP requests with serialized objects in parameters
  • Unusual outbound connections from pmTicket server

SIEM Query:

source="pmTicket" AND ("deserialization" OR "user_id" contains "O:" OR "C:")

📊 Metadata

CVE ID: CVE-2025-11135
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20
EPSS Score: 0.09% exploit probability (26.2th percentile)
Published: September 29, 2025
Last Updated: September 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11135, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)