I. VULNERABILITY
-------------------------
EMQX Dashboard – Authenticated Insecure Plugin Upload Leading to Remote Code Execution (RCE)


II. CVE REFERENCE
-------------------------
CVE-2025-xxxxx (To be updated)


III. VENDOR AND SOFTWARE
-------------------------
Vendor: EMQ Technologies (https://www.emqx.com/)
Product: EMQX
Affected Component: EMQX Dashboard
Documentation: https://docs.emqx.com/en/emqx/latest/dashboard/introduction.html


IV. DESCRIPTION
-------------------------
A remote code execution (RCE) vulnerability exists in the EMQX Dashboard component of EMQX, up to and including version 5.8.5. Authenticated users can upload plugins containing arbitrary code, including any kind of Erlang code, which may be executed on the server hosting the web interface. This is possible due to insufficient validation during plugin installation. Additionally, the software is distributed with default credentials, increasing the risk of unauthorized access and exploitation.


IV. SOLUTION
-------------------------
Starting from version 5.8.6 (released on 2025-03-25), this vulnerability is mitigated by introducing a CLI command that must be explicitly used to allow a package before installing a plugin via the HTTP API or Dashboard. This enhancement strengthens security by preventing unauthorized plugin installations.


V. EXPLOIT
-------------------------
https://github.com/ricardojoserf/emqx-RCE - Proof of concept and exploit code


VI. CREDIT
-------------------------
Ricardo José Ruiz Fernández (@ricardojoserf)