Login Sign Up

CVE-2025-67079

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a critical file upload vulnerability in Omnispace Agora Project that allows attackers to execute arbitrary code through the Imagick library's MSL engine by uploading specially crafted PDF files. Attackers can exploit this via file upload and thumbnail generation functions, potentially leading to complete system compromise. All users running Agora Project versions before 25.10 are affected.

💻 Affected Systems

Products:
  • Omnispace Agora Project
Versions: All versions before 25.10
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the Imagick library integration used for PDF processing in file upload and thumbnail functions.

📦 What is this software?

Agora Project by Agora Project

View all CVEs affecting Agora Project →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if file uploads are disabled or strict file type validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only file upload capability, making this easily weaponizable once details become public.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.10

Vendor Advisory: https://www.agora-project.net

Restart Required: Yes

Instructions:

1. Backup your Agora Project installation and database. 2. Download version 25.10 from the official Agora Project website. 3. Replace the existing installation with the new version. 4. Restart the web server and application services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable PDF uploads

all

Temporarily disable PDF file uploads in Agora Project configuration

Edit Agora Project configuration to remove PDF from allowed file types

Disable Imagick PDF processing

linux

Configure Imagick to disable PDF format support

Edit Imagick policy.xml to add: <policy domain="coder" rights="none" pattern="PDF" />

🧯 If You Can't Patch

  • Implement strict file type validation rejecting all PDF files
  • Deploy WAF rules to block PDF uploads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Agora Project version in admin panel or configuration files

Check Version:

Check Agora Project admin interface or config/version.txt file

Verify Fix Applied:

Verify version is 25.10 or later and test PDF upload functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF uploads to Agora Project
  • Imagick process errors or crashes
  • Unexpected system command execution

Network Indicators:

  • PDF file uploads to Agora Project endpoints
  • Outbound connections from web server to unknown destinations

SIEM Query:

source="agora_logs" AND (file_extension="pdf" OR process="imagick")

📊 Metadata

CVE ID: CVE-2025-67079
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
EPSS Score: 0.09% exploit probability (25.9th percentile)
Published: January 15, 2026
Last Updated: January 21, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67079, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)